Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is this Waffle SSO example doing

Tags:

java

single-sign-on

kerberos

waffle

I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:

// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();

// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();

// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;

do {  

    if (serverContext != null) {

        // initialize on the client
        SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
        clientContext.initialize(clientContext.getHandle(), continueToken);
    }  

    // accept the token on the server
    serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");

} while (clientContext.getContinue() || serverContext.getContinue());

System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
    System.out.println(" " + group.getFqn());
}            

...

The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.

  • What is happening in the background?
  • Does Waffle get the Kerberos ticket from Windows?
  • How does the server validate the ticket of the client?
  • Can I absolutely trust the user groups which I get after the do-loop from the server context?

Thanks. Thomas.

like image 377
Thomas Uhrig Avatar asked Jul 29 '13 07:07

Thomas Uhrig

1 Answers

Does Waffle get the Kerberos ticket from Windows?

Waffle uses the Windows SSPI, which performs all operations involving Kerberos tickets on client's behalf. The client never sees the ticket.

How does the server validate the ticket of the client?

This is a basic Kerberos question. The token sent to the server is encrypted by server's secret key, which guarantees that the token was created by the Ticket Granting Service, which authenticated the client.

Can I absolutely trust the user groups which I get after the do-loop from the server context?

Yes, the are retrieved from the security token. This is a Windows-specific extension of the MIT Kerberos protocol.

like image 142
Marko Topolnik Avatar answered Oct 29 '22 13:10

Marko Topolnik
Sign in to Comment

Related questions

JGit detect rename in working copy
jarsigner manifest permissions
Cannot achieve HTTP caching in android
Find all dependencies in a Java class
How to implement a custom AdapterFactory for Sling Resource?
Deployed to Tomcat 7 OK but cannot access application
How to test AtomicBoolean atomicity?
How to configure log4j to log only info messages and higher?
How to use Wrap Method of ByteBuffer in Java
Substring or characterAt method for UTF8 Strings with 2+ bytes in JAVA
Strange looking guava code
Why do I need java.net.preferIPv4Stack=true only on some windows 7 systems?
Java error: possible loss of precision
Get File Extension for special cases like tar.gz [closed]
How to generate Java from online UML models?
Is there any equivalent of getch() from C++ in Java? [duplicate]
XJC doesn't generate the @XmlElement with namespace?
Is it ever a safe to always ignore InterruptedException calling Thread sleep() in Java
Why SerialVersionUID is static
How to import ldif file using unboundid-ldap-sdp?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!