Waffle at NYCJavaSig

Click here to load reader

  • date post

    27-Jun-2015
  • Category

    Technology

  • view

    2.185
  • download

    1

Embed Size (px)

description

Windows Authentication for Java with WAFFLE presented at NYJavaSig, February 2012

Transcript of Waffle at NYCJavaSig

  • 1. Daniel Doubrovkine |@ dblockdotorg

2.

  • Most enterprise customers cant login to your product.
  • What do you mean by you dont support nested groups?

3.

  • What is my canonical username?
  • What local groups am I a member of?
  • What domain groups am I a member of?

4.

  • User and Group Names Used Instead of SIDs
  • Used Net* Functions to Enumerate Local Groups
  • Tried to Use LDAP to Enumerate Domain Groups
  • Failed to Support Nested Groups
  • Failed to Resolve Domain Trusts
  • and much more that few people know about AD

5.

  • Enterprises are Switching to Smart Cards + PIN

6.

  • 100% Java
    • JNAhttp://github.com/twall/jna
  • Win32 API
    • Wont work on *nix

7.

    • BOOL LogonUser(LPTSTRlpszUsername , LPTSTRlpszDomain ,LPTSTRlpszPassword ,DWORDdwLogonType ,DWORDdwLogonProvider ,PHANDLEphToken);

advapi32.dll 8.

  • // a user handle
  • HANDLEByReferencephUser= new HANDLEByReference();
  • Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password",
  • WinBase.LOGON32_LOGON_NETWORK,WinBase.LOGON32_PROVIDER_DEFAULT,phUser );

9.

  • // user group memberships
  • WinNT.TOKEN_GROUPSgroups= new WinNT.TOKEN_GROUPS(...);
  • Advapi32.INSTANCE.GetTokenInformation( phUser ,
  • WinNT.TOKEN_INFORMATION_CLASS.TokenGroups,groups ,tokenInformationLength,tokenInformationLength));
  • for (SID_AND_ATTRIBUTES sid :groups ) {
  • }

10.

    • // current user name
    • Secur32.INSTANCE.GetUserNameEx(format, ...)
    • Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);
    • // impersonated user
    • Secur32.INSTANCE.GetUserNameEx(format, ...)
    • Advapi32.INSTANCE.RevertToSelf();

11.

  • Current User Security Identifier
  • Group Memberships (a list of SIDs)
  • Privileges

Current Thread Current Process 12.

  • HANDLEh= Kernel32. INSTANCE.GetCurrentThread();
  • HANDLEByReferencephToken= new HANDLEByReference();
  • Advapi32. INSTANCE.OpenThreadToken( h ,
  • WinNT. TOKEN_DUPLICATE | WinNT.TOKEN_QUERY,
  • true,phToken )
  • enumerate groups with Advapi32.INSTANCE.GetTokenInformation

13.

  • Since Windows 2000
  • Multi-Master Directory Service w/ Trusts
      • Storage
      • Domain Data
      • User Data
      • User Group Data
      • Security Data
      • Etc.
  • Active Directory Service Interface (ADSI)

14.

  • SSP = Security Support Provider
    • Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate
  • SSPI
    • Proprietary Implementation of GSSAPI (IETF Standard)
    • Integrated Distributed Security Services

15.

  • Insert a Smart Card into a Reader
  • Logon to a Server Joined to an AD Domain
  • Navigate to a Website, No Prompts
  • Check Permissions w/ Application
  • Logged on as a Domain User on the Server
  • $$$

16.

  • AcquireCredentialsHandle
  • InitializeSecurityContext
  • AcceptSecurityContext

Secur32.dll 17. 18. 19.

  • Waffle Provides Windows Authentication and AuthorizationFunctions
  • Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc.
  • Open-Source

http://waffle.codeplex.com 20.

  • Waffle-jna.jar + jna.jar + platform.jar
  • WEB-INFweb.xml
    • SecurityFilter
    • waffle.servlet.NegotiateSecurityFilter
    • SecurityFilter
    • /*
  • JSP Page

21.

  • GET /secure HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAAHQAAAA9SRy02NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=

22.

  • IWindowsAuthProvider
  • IWindowsAccount
  • IWindowsComputer
  • IWindowsDomain
  • IWindowsIdentity
      • IntPtr securityToken = Advapi32.LogonUser(username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;

23.