How to use WAFFLE for SSO using stand alone java client

Question

We are trying to use WAFFLE for SSO using a standalone java client with JAAS. We've mentioned waffle.jaas.WindowsLoginModule in our jaas.conf but it is prompting for user name, password which we believe is not an ideal solution for SSO. Can any one suggest how to avoid this?

FYI - We aren't using any web/app server.

Answer 1

I believe you will need both a server and client for SSO. You can have a look at this example, it doesn't use the login module but the underlying WindowsSecurityContext classes included in WAFFLE to pass the kerberos tokens back and forth to get the logged in user.

Answer 2

Below are the steps to do Single Sign On using Waffle for standalone Java Client without using server.

1. Create client credentials
2. Get service ticket using initializeSecurityContext of WindowsSecurityContextImpl.
3. Get WindowsIdentity using accessSecurityContext of WindowsAuthProviderImpl

Original link https://exceptionshub.com/getting-kerberos-service-ticket-using-waffle-in-java.html

For client-server sso, you should follow https://code.dblock.org/2010/04/08/pure-java-waffle.html The code below depicts the standalone java sso using kerberos.

import com.sun.jna.platform.win32.Sspi;
import waffle.windows.auth.IWindowsCredentialsHandle;
import waffle.windows.auth.IWindowsIdentity;
import waffle.windows.auth.IWindowsSecurityContext;
import waffle.windows.auth.impl.WindowsAccountImpl;
import waffle.windows.auth.impl.WindowsAuthProviderImpl;
import waffle.windows.auth.impl.WindowsCredentialsHandleImpl;
import waffle.windows.auth.impl.WindowsSecurityContextImpl;

public class KerberosSingleSignOn {
  public static void main() {
    try {
      System.out.println(getWindowsIdentity().getFqn());
    }
    catch (Exception e) {
      e.printStackTrace();
    }
  }

  public static IWindowsIdentity getWindowsIdentity() throws Exception {
    try {
      byte[] kerberosToken = getServiceTicketSSPI();
      WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
      IWindowsSecurityContext securityContext = provider
        .acceptSecurityToken("client-connection", kerberosToken, "Kerberos");
      return securityContext.getIdentity();
    }
    catch (Exception e) {
      throw new Exception("Failed to process kerberos token");
    }
  }

  public static byte[] getServiceTicketSSPI() throws Exception {
    final String securityPackage = "Kerberos";
    IWindowsCredentialsHandle clientCredentials = null;
    WindowsSecurityContextImpl clientContext = null;
    final String currentUser = WindowsAccountImpl.getCurrentUsername();
    try {
      clientCredentials = WindowsCredentialsHandleImpl.getCurrent(securityPackage);
      clientCredentials.initialize();
      // initial client security context
      clientContext = new WindowsSecurityContextImpl();
      clientContext.setCredentialsHandle(clientCredentials.getHandle());
      /*OR 
       clientContext.setCredentialsHandle(clientCredentials);
       */
      clientContext.setSecurityPackage(securityPackage);
      final Sspi.SecBufferDesc continueToken = null;
      do {
        System.out.println("Using current username: " + currentUser);
        clientContext.initialize(clientContext.getHandle(), continueToken, currentUser);
      }
      while (clientContext.isContinue());

      return clientContext.getToken();
    }
    catch (Exception e) {
      throw new Exception("Failed to process kerberos token");
    }
    finally {
      if (clientContext != null)
        clientContext.dispose();
      if (clientCredentials != null)
        clientCredentials.dispose();
    }
  }
}

Answer 3

Instead of using the waffle and making it complicated. You can easily use the System.getProperty(“user.name”) would provide the user name.