SlideShare uma empresa Scribd logo

WAFFLE: Windows Authentication in Java

Daniel Doubrovkine
Daniel Doubrovkine

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Tecnologia
1 de 23
Baixar para ler offline
Daniel Doubrovkine | @dblockdotorg
“Most enterprise customers can’t login to your product.” “What do you mean by you don’t support nested groups?”
What is my canonical username? What local groups am I a member of? What domain groups am I a member of?
 User and Group Names Used Instead of SIDs  Used Net* Functions to Enumerate Local Groups  Tried to Use LDAP to Enumerate Domain Groups  Failed to Support Nested Groups  Failed to Resolve Domain Trusts … and much more that few people know about AD
Enterprises are Switching to Smart Cards + PIN
100% Java  JNA http://github.com/twall/jna Win32 API  Won’t work on *nix
BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
// a user handle HANDLEByReference phUser = new HANDLEByReference(); Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
// user group memberships WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...); Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength)); for (SID_AND_ATTRIBUTES sid : groups) { }
// current user name Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser); // impersonated user Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.RevertToSelf();
 Current User Security Identifier  Group Memberships (a list of SIDs)  Privileges Current Process Current Thread
HANDLE h = Kernel32.INSTANCE.GetCurrentThread(); HANDLEByReference phToken = new HANDLEByReference(); Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken) … enumerate groups with Advapi32.INSTANCE.GetTokenInformation
 Since Windows 2000  Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc.  Active Directory Service Interface (ADSI)
SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate SSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
1. Insert a Smart Card into a Reader 2. Logon to a Server Joined to an AD Domain 3. Navigate to a Website, No Prompts 4. Check Permissions w/ Application 5. Logged on as a Domain User on the Server 6. $$$
AcquireCredentialsHandle InitializeSecurityContext AcceptSecurityContext Secur32.dll
 Waffle Provides Windows Authentication and Authorization Functions  Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc.  Open-Source http://waffle.codeplex.com
 Waffle-jna.jar + jna.jar + platform.jar  WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>  JSP Page <%= request.getUserPrincipal().getName() %>
GET /secure HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02 NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
IWindowsAuthProvider IWindowsAccount IWindowsComputer IWindowsDomain IWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
@

Recomendados

Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with Waffle
Daniel Doubrovkine
 
Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSig
Daniel Doubrovkine
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019
Heather Vescent
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 

Recomendados

Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with Waffle
Daniel Doubrovkine
 
Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSig
Daniel Doubrovkine
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
Amila Paranawithana
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019Introduction to Self Sovereign Identity - IIW October 2019
Introduction to Self Sovereign Identity - IIW October 2019
Heather Vescent
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
XML-RPC (XML Remote Procedure Call)
XML-RPC (XML Remote Procedure Call)XML-RPC (XML Remote Procedure Call)
XML-RPC (XML Remote Procedure Call)
Peter R. Egli
 
New PHP Exploitation Techniques
New PHP Exploitation TechniquesNew PHP Exploitation Techniques
New PHP Exploitation Techniques
RIPS Technologies GmbH
 
Json web token
Json web tokenJson web token
Json web token
Mayank Patel
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
AkshaeyBhosale
 
Microservices in Node.js: Patterns and techniques
Microservices in Node.js: Patterns and techniquesMicroservices in Node.js: Patterns and techniques
Microservices in Node.js: Patterns and techniques
The Software House
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
Chris Holwerda
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
sanjoysanyal
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
Glen Plantz
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
Orest Ivasiv
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
FIDO Alliance
 
Server-Sent Events in Action
Server-Sent Events in ActionServer-Sent Events in Action
Server-Sent Events in Action
Andrei Rusu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level 
Hossein Sarshar
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
rafiq123
 

Mais conteúdo relacionado

Mais procurados

New PHP Exploitation Techniques
New PHP Exploitation TechniquesNew PHP Exploitation Techniques
New PHP Exploitation Techniques
RIPS Technologies GmbH
 

Mais procurados (20)

OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
XML-RPC (XML Remote Procedure Call)
XML-RPC (XML Remote Procedure Call)XML-RPC (XML Remote Procedure Call)
XML-RPC (XML Remote Procedure Call)
 
New PHP Exploitation Techniques
New PHP Exploitation TechniquesNew PHP Exploitation Techniques
New PHP Exploitation Techniques
 
Json web token
Json web tokenJson web token
Json web token
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Microservices in Node.js: Patterns and techniques
Microservices in Node.js: Patterns and techniquesMicroservices in Node.js: Patterns and techniques
Microservices in Node.js: Patterns and techniques
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
DCC17 - Identity Server 4
DCC17 - Identity Server 4DCC17 - Identity Server 4
DCC17 - Identity Server 4
 
OAuth
OAuthOAuth
OAuth
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
The Ldap Protocol
The Ldap ProtocolThe Ldap Protocol
The Ldap Protocol
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring Security
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Web Authentication API
Web Authentication APIWeb Authentication API
Web Authentication API
 
Server-Sent Events in Action
Server-Sent Events in ActionServer-Sent Events in Action
Server-Sent Events in Action
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 

Semelhante a WAFFLE: Windows Authentication in Java

Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
Luca Lusso
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
FIWARE
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
odanyboy
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Developing your first application using FI-WARE
Developing your first application using FI-WAREDeveloping your first application using FI-WARE
Developing your first application using FI-WARE
Fermin Galan
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
odanyboy
 

Semelhante a WAFFLE: Windows Authentication in Java (20)

Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level 
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Dot netnuke
Dot netnukeDot netnuke
Dot netnuke
 
Essay On Active Directory
Essay On Active DirectoryEssay On Active Directory
Essay On Active Directory
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Developing your first application using FI-WARE
Developing your first application using FI-WAREDeveloping your first application using FI-WARE
Developing your first application using FI-WARE
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
Android workshop
Android workshopAndroid workshop
Android workshop
 
Suportando Aplicações Multi-tenancy com Java EE
Suportando Aplicações Multi-tenancy com Java EESuportando Aplicações Multi-tenancy com Java EE
Suportando Aplicações Multi-tenancy com Java EE
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 

Mais de Daniel Doubrovkine

GeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground UpGeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground Up
Daniel Doubrovkine
 

Mais de Daniel Doubrovkine (20)

The Future of Art @ Worlds Fair Nano
The Future of Art @ Worlds Fair NanoThe Future of Art @ Worlds Fair Nano
The Future of Art @ Worlds Fair Nano
 
Nasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
Nasdaq CTO Summit: Inspiring Team Leads to Give Away LegosNasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
Nasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
 
Product Development 101
Product Development 101Product Development 101
Product Development 101
 
Open-Source by Default, UN Community.camp
Open-Source by Default, UN Community.campOpen-Source by Default, UN Community.camp
Open-Source by Default, UN Community.camp
 
Your First Slack Ruby Bot
Your First Slack Ruby BotYour First Slack Ruby Bot
Your First Slack Ruby Bot
 
How it All Goes Down
How it All Goes DownHow it All Goes Down
How it All Goes Down
 
Taking Over Open Source Projects @ GoGaRuCo 2014
Taking Over Open Source Projects @ GoGaRuCo 2014Taking Over Open Source Projects @ GoGaRuCo 2014
Taking Over Open Source Projects @ GoGaRuCo 2014
 
Mentoring Engineers & Humans
Mentoring Engineers & HumansMentoring Engineers & Humans
Mentoring Engineers & Humans
 
Tiling and Zooming ASCII Art @ iOSoho
Tiling and Zooming ASCII Art @ iOSohoTiling and Zooming ASCII Art @ iOSoho
Tiling and Zooming ASCII Art @ iOSoho
 
Artsy ♥ ASCII ART
Artsy ♥ ASCII ARTArtsy ♥ ASCII ART
Artsy ♥ ASCII ART
 
The Other Side of Your Interview
The Other Side of Your InterviewThe Other Side of Your Interview
The Other Side of Your Interview
 
Hiring Engineers (the Artsy Way)
Hiring Engineers (the Artsy Way)Hiring Engineers (the Artsy Way)
Hiring Engineers (the Artsy Way)
 
Mentoring 101 - the Artsy way
Mentoring 101 - the Artsy wayMentoring 101 - the Artsy way
Mentoring 101 - the Artsy way
 
Building and Scaling a Test Driven Culture
Building and Scaling a Test Driven CultureBuilding and Scaling a Test Driven Culture
Building and Scaling a Test Driven Culture
 
Introducing Remote Install Framework
Introducing Remote Install FrameworkIntroducing Remote Install Framework
Introducing Remote Install Framework
 
HackYale 0-60 in Startup Tech
HackYale 0-60 in Startup TechHackYale 0-60 in Startup Tech
HackYale 0-60 in Startup Tech
 
Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012
 
GeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground UpGeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground Up
 
Making Agile Choices in Software Technology
Making Agile Choices in Software TechnologyMaking Agile Choices in Software Technology
Making Agile Choices in Software Technology
 
From Zero to Mongo, Art.sy Experience w/ MongoDB
From Zero to Mongo, Art.sy Experience w/ MongoDBFrom Zero to Mongo, Art.sy Experience w/ MongoDB
From Zero to Mongo, Art.sy Experience w/ MongoDB
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 

WAFFLE: Windows Authentication in Java

  • 1. Daniel Doubrovkine | @dblockdotorg
  • 2. “Most enterprise customers can’t login to your product.” “What do you mean by you don’t support nested groups?”
  • 3. What is my canonical username? What local groups am I a member of? What domain groups am I a member of?
  • 4.  User and Group Names Used Instead of SIDs  Used Net* Functions to Enumerate Local Groups  Tried to Use LDAP to Enumerate Domain Groups  Failed to Support Nested Groups  Failed to Resolve Domain Trusts … and much more that few people know about AD
  • 5. Enterprises are Switching to Smart Cards + PIN
  • 6. 100% Java  JNA http://github.com/twall/jna Win32 API  Won’t work on *nix
  • 7. BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
  • 8. // a user handle HANDLEByReference phUser = new HANDLEByReference(); Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
  • 9. // user group memberships WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...); Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength)); for (SID_AND_ATTRIBUTES sid : groups) { }
  • 10. // current user name Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser); // impersonated user Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.RevertToSelf();
  • 11.  Current User Security Identifier  Group Memberships (a list of SIDs)  Privileges Current Process Current Thread
  • 12. HANDLE h = Kernel32.INSTANCE.GetCurrentThread(); HANDLEByReference phToken = new HANDLEByReference(); Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken) … enumerate groups with Advapi32.INSTANCE.GetTokenInformation
  • 13.  Since Windows 2000  Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc.  Active Directory Service Interface (ADSI)
  • 14. SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate SSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
  • 15. 1. Insert a Smart Card into a Reader 2. Logon to a Server Joined to an AD Domain 3. Navigate to a Website, No Prompts 4. Check Permissions w/ Application 5. Logged on as a Domain User on the Server 6. $$$
  • 17.
  • 18.
  • 19.  Waffle Provides Windows Authentication and Authorization Functions  Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc.  Open-Source http://waffle.codeplex.com
  • 20.  Waffle-jna.jar + jna.jar + platform.jar  WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>  JSP Page <%= request.getUserPrincipal().getName() %>
  • 21. GET /secure HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02 NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
  • 22. IWindowsAuthProvider IWindowsAccount IWindowsComputer IWindowsDomain IWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
  • 23. @