Login/Register
What is this Waffle SSO example doing
Asked Answered
Solved javasingle-sign-onkerberoswaffle
D

1

6

I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:

// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();

// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();

// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;

do {  

    if (serverContext != null) {

        // initialize on the client
        SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
        clientContext.initialize(clientContext.getHandle(), continueToken);
    }  

    // accept the token on the server
    serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");

} while (clientContext.getContinue() || serverContext.getContinue());

System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
    System.out.println(" " + group.getFqn());
}            

...

The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.

  • What is happening in the background?
  • Does Waffle get the Kerberos ticket from Windows?
  • How does the server validate the ticket of the client?
  • Can I absolutely trust the user groups which I get after the do-loop from the server context?

Thanks. Thomas.

Dragline answered 29/7, 2013 at 7:33 Comment(1)
If i set this code, I add reference to the jar, I am able to compile my jar, but on runtime, tomcat throws Advautil32 cannot be resolved, where do i need to put the waffle jars ? thanksColorful
L
8

Does Waffle get the Kerberos ticket from Windows?

Waffle uses the Windows SSPI, which performs all operations involving Kerberos tickets on client's behalf. The client never sees the ticket.

How does the server validate the ticket of the client?

This is a basic Kerberos question. The token sent to the server is encrypted by server's secret key, which guarantees that the token was created by the Ticket Granting Service, which authenticated the client.

Can I absolutely trust the user groups which I get after the do-loop from the server context?

Yes, the are retrieved from the security token. This is a Windows-specific extension of the MIT Kerberos protocol.

Lashaun answered 29/7, 2013 at 7:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.