What is this Waffle SSO example doing

[Thomas Uhrig]

Hi everybody,

first of all I'm completely new to "authentication" and Waffle and I just try to learn the basics. So here is my question:

I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:

// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();

// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();

// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;

do {  

    if (serverContext != null) {

        // initialize on the client
        SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
        clientContext.initialize(clientContext.getHandle(), continueToken);
    }  

    // accept the token on the server
    serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");

} while (clientContext.getContinue() || serverContext.getContinue());

System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
    System.out.println(" " + group.getFqn());
}            

...

The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.
What is happening in the background?
Does Waffle get the Kerberos ticket from Windows?
How does the server validate the ticket of the client?
Can I absolutely trust the user groups which I get after the do-loop from the server context?
Thanks. Thomas.
PS: I don't search for a way to implement a secure communication in the first way. I search for a way to know on the server for sure which client is connected (without username/password login).

[Daniel Doubrovkine]

Regarding your PS:, you came to the right place. You're describing SSO.

• What is happening in the background?

Windows API is an abstraction of authentication. So what's happening in background is the "normal" Kerberos or NTLM proces.

• Does Waffle get the Kerberos ticket from Windows?

Yes. Actually Waffle asks the SSPI, which then asks the SSPI Kerberos provider.

• How does the server validate the ticket of the client?

It passes it to the Kerberos provider on the server via the SSPI. 

• Can I absolutely trust the user groups which I get after the do-loop from the server context?

Yes. Those are written part of the login context and cannot be tempered with.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Daniel Doubrovkine]

I meant to say tampered :)

[Amadeusz Sadowski]

Okay, I tried this example, but it's heavily outdated, some initializations changed and I have no idea what to change.

I'm trying to enable Rapla Client to use Windows' SSO (it works like this: in browser you open Jetty's webpage, click to start Java webstart, and a client application is loaded to user's PC - this is when I need to authorize user to server) - thus far my attempts failed, probably because Rapla uses its own auth. system. So I had to try and encode authentication into source code, at which I've promptly failed. I'll be very grateful if I could also get my hands on users email from an ActiveDirectory on intranet.

Any help will be greatly appreciated.

Amadeusz

W dniu wtorek, 30 lipca 2013 12:50:10 UTC+2 użytkownik Daniel Doubrovkine napisał:

I meant to say tampered :)

On Tue, Jul 30, 2013 at 6:50 AM, Daniel Doubrovkine <dbl...@dblock.org> wrote:

Regarding your PS:, you came to the right place. You're describing SSO.

• What is happening in the background?

Windows API is an abstraction of authentication. So what's happening in background is the "normal" Kerberos or NTLM proces.

• Does Waffle get the Kerberos ticket from Windows?

Yes. Actually Waffle asks the SSPI, which then asks the SSPI Kerberos provider.

• How does the server validate the ticket of the client?

It passes it to the Kerberos provider on the server via the SSPI. 

• Can I absolutely trust the user groups which I get after the do-loop from the server context?

Yes. Those are written part of the login context and cannot be tempered with.

On Mon, Jul 29, 2013 at 3:52 AM, Thomas Uhrig <tuhr...@gmail.com> wrote:

Hi everybody,

first of all I'm completely new to "authentication" and Waffle and I just try to learn the basics. So here is my question:

I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:

 

The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.

What is happening in the background?


Does Waffle get the Kerberos ticket from Windows?
How does the server validate the ticket of the client?

Can I absolutely trust the user groups which I get after the do-loop from the server context?

Thanks. Thomas.


PS: I don't search for a way to implement a secure communication in the first way. I search for a way to know on the server for sure which client is connected (without username/password login).

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Daniel Doubrovkine]

I've updated the FAQ on this: https://github.com/dblock/waffle/blob/master/Docs/faq/ClientSide.md, it should be a start.

[Thomas Uhrig]

Hi Daniel,

first of all, thank you very much! The example you posted is really nice. But I got one more question for my understanding:

After the authentication I know who the user is. I have a server side context representing the client:

System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
    System.out.println(" " + group.getFqn());
}  

Now, is there any way to send a token (byte[] or whatever) from the server to the client to re-authenticate the client without sending messages back and forth? I think of something like that:

// make server context to know who the user is like above

// now send a token to the user to authenticate him next time
respondeToClient( yourUniqueToken );

// on the client side I want do to something like:

myUniqueToken = authenticateToServer();

...

performeActionOnServer(actionName, myUniqueToken);

// and back on the server:

public void performAction(actionName, uniqueToken) {

    // I want to get the same security context as before

    securityContext = getContextByToken(uniqueToken);

    ...

}

I already thought about the problem and the only thing that comes to my mind is to generate a "secrete key" for the security context and store it in a map on the server. When I send the key to the user he can always re-authenticate itself with that key. But it feels like I missing something. Is there any way to do that with Waffle? Any in-build functionality? Or is this beyond the functionality of Waffle?

Thanks. Thomas.

[Daniel Doubrovkine]

If I understand correctly once you know who the windows user is, you lookup the corresponding user in, say, the database? So the next time the request is made you want to avoid the lookup?

You can set a cookie on the client with the ID or whatever other information you want. If you're going to do that, just write a filter that sits after Waffle. Make sure to encrypt or sign that so that it cannot be forged, otherwise any user can impersonate any other user. That's beyond Waffle's scope.

Do note that with Windows auth *every* request will carry the identity of the user, so serverContext.getIdentity()... will always return the same thing.

[Thomas Uhrig]

Thanks :)