SlideShare une entreprise Scribd logo

WAFFLE: Windows Authentication in Java

Daniel Doubrovkine
Daniel Doubrovkine

Windows Authentication for Java with WAFFLE presented at the NYCJavaSIG in February 2012.

Technologie
1  sur  23
Télécharger pour lire hors ligne
Daniel Doubrovkine | @dblockdotorg
“Most enterprise customers can’t login to your product.” “What do you mean by you don’t support nested groups?”
What is my canonical username? What local groups am I a member of? What domain groups am I a member of?
 User and Group Names Used Instead of SIDs  Used Net* Functions to Enumerate Local Groups  Tried to Use LDAP to Enumerate Domain Groups  Failed to Support Nested Groups  Failed to Resolve Domain Trusts … and much more that few people know about AD
Enterprises are Switching to Smart Cards + PIN
100% Java  JNA http://github.com/twall/jna Win32 API  Won’t work on *nix
BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
// a user handle HANDLEByReference phUser = new HANDLEByReference(); Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
// user group memberships WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...); Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength)); for (SID_AND_ATTRIBUTES sid : groups) { }
// current user name Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser); // impersonated user Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.RevertToSelf();
 Current User Security Identifier  Group Memberships (a list of SIDs)  Privileges Current Process Current Thread
HANDLE h = Kernel32.INSTANCE.GetCurrentThread(); HANDLEByReference phToken = new HANDLEByReference(); Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken) … enumerate groups with Advapi32.INSTANCE.GetTokenInformation
 Since Windows 2000  Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc.  Active Directory Service Interface (ADSI)
SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate SSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
1. Insert a Smart Card into a Reader 2. Logon to a Server Joined to an AD Domain 3. Navigate to a Website, No Prompts 4. Check Permissions w/ Application 5. Logged on as a Domain User on the Server 6. $$$
AcquireCredentialsHandle InitializeSecurityContext AcceptSecurityContext Secur32.dll
 Waffle Provides Windows Authentication and Authorization Functions  Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc.  Open-Source http://waffle.codeplex.com
 Waffle-jna.jar + jna.jar + platform.jar  WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>  JSP Page <%= request.getUserPrincipal().getName() %>
GET /secure HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02 NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
IWindowsAuthProvider IWindowsAccount IWindowsComputer IWindowsDomain IWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
@

Recommandé

Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSig
Daniel Doubrovkine
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
Tushar B Kute
 
Ajax
AjaxAjax
Ajax
Tech_MX
 
Ajax.ppt
Ajax.pptAjax.ppt
Ajax.ppt
MAGNA COLLEGE OF ENGINEERING
 
Pragmatic functional refactoring with java 8
Pragmatic functional refactoring with java 8Pragmatic functional refactoring with java 8
Pragmatic functional refactoring with java 8
RichardWarburton
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
OECLIB Odisha Electronics Control Library
 
What is Ajax technology?
What is Ajax technology?What is Ajax technology?
What is Ajax technology?
JavaTpoint.Com
 
GraphQL
GraphQLGraphQL
GraphQL
Joel Corrêa
 

Recommandé

Waffle at NYCJavaSig
Waffle at NYCJavaSigWaffle at NYCJavaSig
Waffle at NYCJavaSig
Daniel Doubrovkine
 
Network programming in Java
Network programming in JavaNetwork programming in Java
Network programming in Java
Tushar B Kute
 
Ajax
AjaxAjax
Ajax
Tech_MX
 
Ajax.ppt
Ajax.pptAjax.ppt
Ajax.ppt
MAGNA COLLEGE OF ENGINEERING
 
Pragmatic functional refactoring with java 8
Pragmatic functional refactoring with java 8Pragmatic functional refactoring with java 8
Pragmatic functional refactoring with java 8
RichardWarburton
 
Ajax ppt
Ajax pptAjax ppt
Ajax ppt
OECLIB Odisha Electronics Control Library
 
What is Ajax technology?
What is Ajax technology?What is Ajax technology?
What is Ajax technology?
JavaTpoint.Com
 
GraphQL
GraphQLGraphQL
GraphQL
Joel Corrêa
 
Php pattern matching
Php pattern matchingPhp pattern matching
Php pattern matching
JIGAR MAKHIJA
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
Hermann Hueck
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
Rodrigo Prates
 
Better APIs with GraphQL
Better APIs with GraphQL Better APIs with GraphQL
Better APIs with GraphQL
Josh Price
 
Exception handling
Exception handlingException handling
Exception handling
Iblesoft
 
servlet in java
servlet in javaservlet in java
servlet in java
sowfi
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Graphql Intro (Tutorial and Example)
Graphql Intro (Tutorial and Example)Graphql Intro (Tutorial and Example)
Graphql Intro (Tutorial and Example)
Rafael Wilber Kerr
 
Intro GraphQL
Intro GraphQLIntro GraphQL
Intro GraphQL
Simona Cotin
 
Web Development Course: PHP lecture 1
Web Development Course: PHP lecture 1Web Development Course: PHP lecture 1
Web Development Course: PHP lecture 1
Gheyath M. Othman
 
Intro to GraphQL
Intro to GraphQL Intro to GraphQL
Intro to GraphQL
Rakuten Group, Inc.
 
An intro to GraphQL
An intro to GraphQLAn intro to GraphQL
An intro to GraphQL
valuebound
 
Java 8 Workshop
Java 8 WorkshopJava 8 Workshop
Java 8 Workshop
Mario Fusco
 
Asp.net caching
Asp.net cachingAsp.net caching
Asp.net caching
Mindfire Solutions
 
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
Nithin Kumar,VVCE, Mysuru
 
GraphQL Introduction
GraphQL IntroductionGraphQL Introduction
GraphQL Introduction
Serge Huber
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
Sam Bowne
 
Server Side Programming
Server Side ProgrammingServer Side Programming
Server Side Programming
Milan Thapa
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
Amazon Web Services
 
Introduction to ajax
Introduction to ajaxIntroduction to ajax
Introduction to ajax
Nir Elbaz
 
Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level 
Hossein Sarshar
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
rafiq123
 

Contenu connexe

Tendances

Exception handling
Exception handlingException handling
Exception handling
Iblesoft
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
Amazon Web Services
 

Tendances (20)

Php pattern matching
Php pattern matchingPhp pattern matching
Php pattern matching
 
Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8Reactive Access to MongoDB from Java 8
Reactive Access to MongoDB from Java 8
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
Better APIs with GraphQL
Better APIs with GraphQL Better APIs with GraphQL
Better APIs with GraphQL
 
Exception handling
Exception handlingException handling
Exception handling
 
servlet in java
servlet in javaservlet in java
servlet in java
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
Graphql Intro (Tutorial and Example)
Graphql Intro (Tutorial and Example)Graphql Intro (Tutorial and Example)
Graphql Intro (Tutorial and Example)
 
Intro GraphQL
Intro GraphQLIntro GraphQL
Intro GraphQL
 
Web Development Course: PHP lecture 1
Web Development Course: PHP lecture 1Web Development Course: PHP lecture 1
Web Development Course: PHP lecture 1
 
Intro to GraphQL
Intro to GraphQL Intro to GraphQL
Intro to GraphQL
 
An intro to GraphQL
An intro to GraphQLAn intro to GraphQL
An intro to GraphQL
 
Java 8 Workshop
Java 8 WorkshopJava 8 Workshop
Java 8 Workshop
 
Asp.net caching
Asp.net cachingAsp.net caching
Asp.net caching
 
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
VTU Design and Analysis of Algorithms(DAA) Lab Manual by Nithin, VVCE, Mysuru...
 
GraphQL Introduction
GraphQL IntroductionGraphQL Introduction
GraphQL Introduction
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
Server Side Programming
Server Side ProgrammingServer Side Programming
Server Side Programming
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
Introduction to ajax
Introduction to ajaxIntroduction to ajax
Introduction to ajax
 

Similaire à WAFFLE: Windows Authentication in Java

Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
RootedCON
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
Luca Lusso
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
FIWARE
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
odanyboy
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
Oliver Pfaff
 
Developing your first application using FI-WARE
Developing your first application using FI-WAREDeveloping your first application using FI-WARE
Developing your first application using FI-WARE
Fermin Galan
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
odanyboy
 

Similaire à WAFFLE: Windows Authentication in Java (20)

Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level Centralizing users’ authentication at Active Directory level 
Centralizing users’ authentication at Active Directory level 
 
29041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-200329041329 interview-questions-for-server-2003
29041329 interview-questions-for-server-2003
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Dot netnuke
Dot netnukeDot netnuke
Dot netnuke
 
Essay On Active Directory
Essay On Active DirectoryEssay On Active Directory
Essay On Active Directory
 
Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!Do you know what your drupal is doing? Observe it!
Do you know what your drupal is doing? Observe it!
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
Developing your first application using FIWARE
Developing your first application using FIWAREDeveloping your first application using FIWARE
Developing your first application using FIWARE
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Addmi 02-addm overview
Addmi 02-addm overviewAddmi 02-addm overview
Addmi 02-addm overview
 
Early Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpaceEarly Adopting Java WSIT-Experiences with Windows CardSpace
Early Adopting Java WSIT-Experiences with Windows CardSpace
 
Developing your first application using FI-WARE
Developing your first application using FI-WAREDeveloping your first application using FI-WARE
Developing your first application using FI-WARE
 
Addmi 14-discovery credentials
Addmi 14-discovery credentialsAddmi 14-discovery credentials
Addmi 14-discovery credentials
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
Android workshop
Android workshopAndroid workshop
Android workshop
 
Suportando Aplicações Multi-tenancy com Java EE
Suportando Aplicações Multi-tenancy com Java EESuportando Aplicações Multi-tenancy com Java EE
Suportando Aplicações Multi-tenancy com Java EE
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 

Plus de Daniel Doubrovkine

GeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground UpGeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground Up
Daniel Doubrovkine
 

Plus de Daniel Doubrovkine (20)

The Future of Art @ Worlds Fair Nano
The Future of Art @ Worlds Fair NanoThe Future of Art @ Worlds Fair Nano
The Future of Art @ Worlds Fair Nano
 
Nasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
Nasdaq CTO Summit: Inspiring Team Leads to Give Away LegosNasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
Nasdaq CTO Summit: Inspiring Team Leads to Give Away Legos
 
Product Development 101
Product Development 101Product Development 101
Product Development 101
 
Open-Source by Default, UN Community.camp
Open-Source by Default, UN Community.campOpen-Source by Default, UN Community.camp
Open-Source by Default, UN Community.camp
 
Your First Slack Ruby Bot
Your First Slack Ruby BotYour First Slack Ruby Bot
Your First Slack Ruby Bot
 
Single Sign-On with Waffle
Single Sign-On with WaffleSingle Sign-On with Waffle
Single Sign-On with Waffle
 
How it All Goes Down
How it All Goes DownHow it All Goes Down
How it All Goes Down
 
Taking Over Open Source Projects @ GoGaRuCo 2014
Taking Over Open Source Projects @ GoGaRuCo 2014Taking Over Open Source Projects @ GoGaRuCo 2014
Taking Over Open Source Projects @ GoGaRuCo 2014
 
Mentoring Engineers & Humans
Mentoring Engineers & HumansMentoring Engineers & Humans
Mentoring Engineers & Humans
 
Tiling and Zooming ASCII Art @ iOSoho
Tiling and Zooming ASCII Art @ iOSohoTiling and Zooming ASCII Art @ iOSoho
Tiling and Zooming ASCII Art @ iOSoho
 
Artsy ♥ ASCII ART
Artsy ♥ ASCII ARTArtsy ♥ ASCII ART
Artsy ♥ ASCII ART
 
The Other Side of Your Interview
The Other Side of Your InterviewThe Other Side of Your Interview
The Other Side of Your Interview
 
Hiring Engineers (the Artsy Way)
Hiring Engineers (the Artsy Way)Hiring Engineers (the Artsy Way)
Hiring Engineers (the Artsy Way)
 
Mentoring 101 - the Artsy way
Mentoring 101 - the Artsy wayMentoring 101 - the Artsy way
Mentoring 101 - the Artsy way
 
Building and Scaling a Test Driven Culture
Building and Scaling a Test Driven CultureBuilding and Scaling a Test Driven Culture
Building and Scaling a Test Driven Culture
 
Introducing Remote Install Framework
Introducing Remote Install FrameworkIntroducing Remote Install Framework
Introducing Remote Install Framework
 
HackYale 0-60 in Startup Tech
HackYale 0-60 in Startup TechHackYale 0-60 in Startup Tech
HackYale 0-60 in Startup Tech
 
Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012
 
GeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground UpGeneralAssemb.ly Summer Program: Tech from the Ground Up
GeneralAssemb.ly Summer Program: Tech from the Ground Up
 
Making Agile Choices in Software Technology
Making Agile Choices in Software TechnologyMaking Agile Choices in Software Technology
Making Agile Choices in Software Technology
 

Dernier

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
SOFTTECHHUB
 

Dernier (20)

Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 

WAFFLE: Windows Authentication in Java

  • 1. Daniel Doubrovkine | @dblockdotorg
  • 2. “Most enterprise customers can’t login to your product.” “What do you mean by you don’t support nested groups?”
  • 3. What is my canonical username? What local groups am I a member of? What domain groups am I a member of?
  • 4.  User and Group Names Used Instead of SIDs  Used Net* Functions to Enumerate Local Groups  Tried to Use LDAP to Enumerate Domain Groups  Failed to Support Nested Groups  Failed to Resolve Domain Trusts … and much more that few people know about AD
  • 5. Enterprises are Switching to Smart Cards + PIN
  • 6. 100% Java  JNA http://github.com/twall/jna Win32 API  Won’t work on *nix
  • 7. BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken ); advapi32.dll
  • 8. // a user handle HANDLEByReference phUser = new HANDLEByReference(); Advapi32.INSTANCE.LogonUser( "Administrator", "ENTERPRISE", "password", WinBase.LOGON32_LOGON_NETWORK, WinBase.LOGON32_PROVIDER_DEFAULT, phUser);
  • 9. // user group memberships WinNT.TOKEN_GROUPS groups = new WinNT.TOKEN_GROUPS(...); Advapi32.INSTANCE.GetTokenInformation( phUser, WinNT.TOKEN_INFORMATION_CLASS.TokenGroups, groups, tokenInformationLength, tokenInformationLength)); for (SID_AND_ATTRIBUTES sid : groups) { }
  • 10. // current user name Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.ImpersonateLoggedOnUser(phUser); // impersonated user Secur32.INSTANCE.GetUserNameEx(format, ...) Advapi32.INSTANCE.RevertToSelf();
  • 11.  Current User Security Identifier  Group Memberships (a list of SIDs)  Privileges Current Process Current Thread
  • 12. HANDLE h = Kernel32.INSTANCE.GetCurrentThread(); HANDLEByReference phToken = new HANDLEByReference(); Advapi32.INSTANCE.OpenThreadToken( h, WinNT.TOKEN_DUPLICATE | WinNT.TOKEN_QUERY, true, phToken) … enumerate groups with Advapi32.INSTANCE.GetTokenInformation
  • 13.  Since Windows 2000  Multi-Master Directory Service w/ Trusts  Storage  Domain Data  User Data  User Group Data  Security Data  Etc.  Active Directory Service Interface (ADSI)
  • 14. SSP = Security Support Provider  Kerberos, Microsoft Windows NT LAN Manager (NTLM), Negotiate SSPI  Proprietary Implementation of GSSAPI (IETF Standard)  Integrated Distributed Security Services
  • 15. 1. Insert a Smart Card into a Reader 2. Logon to a Server Joined to an AD Domain 3. Navigate to a Website, No Prompts 4. Check Permissions w/ Application 5. Logged on as a Domain User on the Server 6. $$$
  • 17.
  • 18.
  • 19.  Waffle Provides Windows Authentication and Authorization Functions  Filters and Providers for Application Servers Tomcat, Jetty, WebSphere, etc.  Open-Source http://waffle.codeplex.com
  • 20.  Waffle-jna.jar + jna.jar + platform.jar  WEB-INFweb.xml <filter> <filter-name>SecurityFilter</filter-name> <filter- class>waffle.servlet.NegotiateSecurityFilter</filter- class> </filter> <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>  JSP Page <%= request.getUserPrincipal().getName() %>
  • 21. GET /secure HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM GET /secure HTTP/1.1 Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgo…9kqa6BepAo= HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo= GET /secure HTTP/1.1 Authorization: Negotiate oUMwQaADCgEBojoEOE5UTE1TU1AAAQAAA…HQAAAA9SRy02 NDEwSU5URVJORVdT HTTP/1.1 200 OK WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAAB7J3i2ZZ/tlgAAAAA=
  • 22. IWindowsAuthProvider IWindowsAccount IWindowsComputer IWindowsDomain IWindowsIdentity IntPtr securityToken = Advapi32.LogonUser( username, domain, password); WindowsIdentity windowsIdentity = new WindowsIdentity(securityToken); return windowsIdentity.groups;
  • 23. @