I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:
// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();
// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();
// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;
do {
if (serverContext != null) {
// initialize on the client
SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
clientContext.initialize(clientContext.getHandle(), continueToken);
}
// accept the token on the server
serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");
} while (clientContext.getContinue() || serverContext.getContinue());
System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
System.out.println(" " + group.getFqn());
}
...
The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.
Thanks. Thomas.
PS: I don't search for a way to implement a secure communication in the first way. I search for a way to know on the server for sure which client is connected (without username/password login).
--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock
I meant to say tampered :)On Tue, Jul 30, 2013 at 6:50 AM, Daniel Doubrovkine <dbl...@dblock.org> wrote:
Regarding your PS:, you came to the right place. You're describing SSO.
- What is happening in the background?
Windows API is an abstraction of authentication. So what's happening in background is the "normal" Kerberos or NTLM proces.
- Does Waffle get the Kerberos ticket from Windows?
Yes. Actually Waffle asks the SSPI, which then asks the SSPI Kerberos provider.
- How does the server validate the ticket of the client?
It passes it to the Kerberos provider on the server via the SSPI.
- Can I absolutely trust the user groups which I get after the do-loop from the server context?
Yes. Those are written part of the login context and cannot be tempered with.On Mon, Jul 29, 2013 at 3:52 AM, Thomas Uhrig <tuhr...@gmail.com> wrote:Hi everybody,first of all I'm completely new to "authentication" and Waffle and I just try to learn the basics. So here is my question:
I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:
The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.
--
- What is happening in the background?
- Does Waffle get the Kerberos ticket from Windows?
- How does the server validate the ticket of the client?
- Can I absolutely trust the user groups which I get after the do-loop from the server context?
Thanks. Thomas.
PS: I don't search for a way to implement a secure communication in the first way. I search for a way to know on the server for sure which client is connected (without username/password login).
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
System.out.println(" " + group.getFqn());
}