Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

1. Daniel Doubrovkine | @dblockdotorg

2. “Most enterprise
customers can’t login to
your product.”
“What do you mean by
you don’t support nested
groups?”

3. What is my canonical username?
What local groups am I a member of?
What domain groups am I a member of?

4.  User and Group Names Used
Instead of SIDs
 Used Net* Functions to
Enumerate Local Groups
 Tried to Use LDAP to Enumerate
Domain Groups
 Failed to Support Nested Groups
 Failed to Resolve Domain Trusts
… and much more that few people know about AD

5. Enterprises are
Switching to Smart
Cards + PIN

6. 100% Java
 JNA http://github.com/twall/jna
Win32 API
 Won’t work on *nix

7. BOOL LogonUser(
LPTSTR lpszUsername,
LPTSTR lpszDomain,
LPTSTR lpszPassword,
DWORD dwLogonType,
DWORD dwLogonProvider,
PHANDLE phToken );
advapi32.dll

8. // a user handle
HANDLEByReference phUser = new HANDLEByReference();
Advapi32.INSTANCE.LogonUser(
"Administrator", "ENTERPRISE", "password",
WinBase.LOGON32_LOGON_NETWORK,
WinBase.LOGON32_PROVIDER_DEFAULT,
phUser);

9. // user group memberships
WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...);
Advapi32.INSTANCE.GetTokenInformation(
phUser,
WinNT.TOKEN_INFORMATION_CLASS.TokenGroups,
groups,
tokenInformationLength,
tokenInformationLength));
for (SID_AND_ATTRIBUTES sid : groups) {
}

10. // current user name
Secur32.INSTANCE.GetUserNameEx(format, ...)
Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser);
// impersonated user
Secur32.INSTANCE.GetUserNameEx(format, ...)
Advapi32.INSTANCE.RevertToSelf();

11.  Current User Security Identifier
 Group Memberships (a list of SIDs)
 Privileges
Current
Process
Current
Thread

12. HANDLE h =
Kernel32.INSTANCE.GetCurrentThread();
HANDLEByReference phToken = new
HANDLEByReference();
Advapi32.INSTANCE.OpenThreadToken(
h,
WinNT.TOKEN_DUPLICATE |
WinNT.TOKEN_QUERY,
true, phToken)
… enumerate groups with
Advapi32.INSTANCE.GetTokenInformation

13.  Since Windows 2000
 Multi-Master Directory
Service w/ Trusts
 Storage
 Domain Data
 User Data
 User Group Data
 Security Data
 Etc.
 Active Directory Service
Interface (ADSI)

14. SSP = Security Support
Provider
 Kerberos, Microsoft Windows NT LAN
Manager (NTLM), Negotiate
SSPI
 Proprietary Implementation of
GSSAPI (IETF Standard)
 Integrated Distributed Security
Services

15. 1. Insert a Smart Card into a
Reader
2. Logon to a Server Joined
to an AD Domain
3. Navigate to a Website,
No Prompts
4. Check Permissions w/
Application
5. Logged on as a Domain
User on the Server
6. $$$

16. AcquireCredentialsHandle
InitializeSecurityContext
AcceptSecurityContext
Secur32.dll

19.  Waffle Provides Windows
Authentication and
Authorization Functions
 Filters and Providers for
Application Servers
Tomcat, Jetty, WebSphere, etc.
 Open-Source
http://waffle.codeplex.com

20.  Waffle-jna.jar + jna.jar + platform.jar
 WEB-INFweb.xml
<filter>
<filter-name>SecurityFilter</filter-name>
<filter-
class>waffle.servlet.NegotiateSecurityFilter</filter-
class>
</filter>
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
 JSP Page
<%= request.getUserPrincipal().getName() %>

21. GET /secure HTTP/1.1
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
GET /secure HTTP/1.1
Authorization: Negotiate
YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo=
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate
oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
GET /secure HTTP/1.1
Authorization: Negotiate
oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02
NDEwSU5URVJORVdT
HTTP/1.1 200 OK
WWW-Authenticate: Negotiate
oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=

22. IWindowsAuthProvider
IWindowsAccount
IWindowsComputer
IWindowsDomain
IWindowsIdentity
IntPtr securityToken = Advapi32.LogonUser(
username, domain, password);
WindowsIdentity windowsIdentity =
new WindowsIdentity(securityToken);
return windowsIdentity.groups;

23. @