java 这个 Waffle SSO 示例在做什么
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/17918344/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is this Waffle SSO example doing
提问by Thomas Uhrig
I'm trying to implement a SSO on Windows (in Java). Recently I discovered this exampledoing exactly what I want to do with Waffle:
我正在尝试在 Windows(用 Java)上实现 SSO。最近我发现这个例子正是我想用Waffle做的事情:
// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();
// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();
// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;
do {
if (serverContext != null) {
// initialize on the client
SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
clientContext.initialize(clientContext.getHandle(), continueToken);
}
// accept the token on the server
serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");
} while (clientContext.getContinue() || serverContext.getContinue());
System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
System.out.println(" " + group.getFqn());
}
...
The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.
这个例子很简单,它有效,而且完全符合我的要求。但我不明白它是如何工作的。
- What is happening in the background?
- Does Waffle get the Kerberos ticket from Windows?
- How does the server validate the ticket of the client?
- Can I absolutely trust the user groups which I get after the do-loop from the server context?
- 背景中发生了什么?
- Waffle 是否从 Windows 获得 Kerberos 票证?
- 服务器如何验证客户端的票证?
- 我可以绝对信任从服务器上下文执行循环后获得的用户组吗?
Thanks. Thomas.
谢谢。托马斯。
回答by Marko Topolnik
Does Waffle get the Kerberos ticket from Windows?
Waffle 是否从 Windows 获得 Kerberos 票证?
Waffle uses the Windows SSPI, which performs all operations involving Kerberos tickets on client's behalf. The client never sees the ticket.
Waffle 使用 Windows SSPI,它代表客户端执行所有涉及 Kerberos 票证的操作。客户永远不会看到票。
How does the server validate the ticket of the client?
服务器如何验证客户端的票证?
This is a basic Kerberos question. The token sent to the server is encrypted by server's secret key, which guarantees that the token was created by the Ticket Granting Service, which authenticated the client.
这是一个基本的 Kerberos 问题。发送到服务器的令牌由服务器的密钥加密,这保证令牌是由对客户端进行身份验证的票证授予服务创建的。
Can I absolutely trust the user groups which I get after the do-loop from the server context?
我可以绝对信任从服务器上下文执行循环后获得的用户组吗?
Yes, the are retrieved from the security token. This is a Windows-specific extension of the MIT Kerberos protocol.
是的,是从安全令牌中检索的。这是 MIT Kerberos 协议的 Windows 特定扩展。
