Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Decrypt kerberos ticket using Spnego

Tags:

java

active-directory

jboss

kerberos

spnego

I'm using spnego ( http://spnego.sourceforge.net ) for kerberos authentication under JBoss.

I need to decrypt kerberos ticket to access the authorization-data which will containt PAC data. The PAC data is needed to decide which roles are to be granted to user.

How to access and decrypt kerberos ticket? I've searched net for examples, but without effort.

like image 211
Danubian Sailor Avatar asked Dec 22 '10 11:12

Danubian Sailor

People also ask

How does Kerberos Spnego work?

The Kerberos service ticket (SPNEGO token) proves the user's identity and permissions to the service (Liberty server). The client browser then responds to the Liberty server Authenticate: Negotiate challenge with the SPNEGO token that is obtained in the previous step in the request HTTP header.

Is Spnego a Kerberos?

SPNEGO (Simple Protocol GSSAPI Negotiation Mechanism) is a mechanism used in a client-server context to negotiate the choice of security technology. It is used when the parties have no clue about the authentication protocols their correspondent supports. The negotiable security mechanism includes Kerberos.

How do I decode a Kerberos token?

The mechanism token is usually a KerberosApRequest . There is a KerberosToken constructor which takes a KerberosApRequest . Simply pass in the mechanismToken byte array along with the key to decrypt the contents.

What is Spnego protocol?

The SPNEGO protocol allows for a negotiation between the client (browser) and the server regarding the authentication mechanism to use. The client identity presented by the browser can be verified by WebSEAL using Kerberos authentication mechanisms.

1 Answers

These guys have a full PAC decoding implementation:

http://jaaslounge.sourceforge.net/

You can use the token parser like this:

HttpServletRequest request = (HttpServletRequest) req;
String header = request.getHeader("Authorization");
byte[] base64Token = header.substring(10).getBytes("UTF-8");
byte[] spnegoHeader = Base64.decode(base64Token);

SpnegoInitToken spnegoToken = new SpnegoInitToken(spnegoHeader);

You're going to need to jump though some hoops if you want to decrypt the underlying Kerberos ticket. Not sure if you need that.

Grant

like image 98
Grant Cermak Avatar answered Sep 18 '22 09:09

Grant Cermak
Sign in to Comment

Related questions

Setting 'relaxedQueryChars' for embedded Tomcat
Parallel Stream behaving differently to Stream
How to restrict inheritance to a single subclass in Java
adjust selected File to FileFilter in a JFileChooser
How should I sanitize database input in Java?
What is the best way to 'ping' a database via JDBC?
Example of using CURRENT_DATE in JPA query
How should I generate an initialization vector?
Are there any good CachedRowSet implementations other than the proprietary Sun one?
getResourceAsStream not loading resource in webapp
In a java enhanced for loop, is it safe to assume the expression to be looped over will be evaluated only once?
Date relative to current in the DBUnit dataset
How to use encrypted password in apache BasicDataSource?
Cannot convert String to Integer in Java [duplicate]
How to generate classes from XSD that implements serializable?
Can I inject a Java object using Spring without any xml configuration files?
How to create an XML text node with an empty string value (in Java)
How to marshal an object via JAXB without any information about it?
Draw arc with 2 points and center of the circle
Regex for java's String.matches method?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!