tomcatspengo with delegation jsp

Apr 17, 2014 at 2:06 PM
Do you have an example JSP that works with SPNEGO for delegation?

I tried the one here (http://spnego.sourceforge.net/credential_delegation.html), but I believe this is for a different SPNEGO version.

The result with this one I get in the browser is as follows:

HTTP Status 500 - Unable to compile class for JSP:

type Exception report

message Unable to compile class for JSP:

description The server encountered an internal error that prevented it from fulfilling this request.

exception

org.apache.jasper.JasperException: Unable to compile class for JSP:

An error occurred at line: 11 in the jsp file: /hello_delegate.jsp DelegateServletRequest cannot be resolved to a type
8: </head>
9: <body>
10: <%
11: if (request instanceof DelegateServletRequest) {
12: DelegateServletRequest dsr = (DelegateServletRequest) request;
13: GSSCredential creds = dsr.getDelegatedCredential();
14:


An error occurred at line: 12 in the jsp file: /hello_delegate.jsp DelegateServletRequest cannot be resolved to a type
9: <body>
10: <%
11: if (request instanceof DelegateServletRequest) {
12: DelegateServletRequest dsr = (DelegateServletRequest) request;
13: GSSCredential creds = dsr.getDelegatedCredential();
14:
15: if (null == creds) {


An error occurred at line: 12 in the jsp file: /hello_delegate.jsp DelegateServletRequest cannot be resolved to a type
9: <body>
10: <%
11: if (request instanceof DelegateServletRequest) {
12: DelegateServletRequest dsr = (DelegateServletRequest) request;
13: GSSCredential creds = dsr.getDelegatedCredential();
14:
15: if (null == creds) {


An error occurred at line: 20 in the jsp file: /hello_delegate.jsp SpnegoHttpURLConnection cannot be resolved to a type
17: } else {
18: out.print(creds.getName().toString());
19:
20: SpnegoHttpURLConnection spnego =
21: new SpnegoHttpURLConnection(creds);
22:
23: spnego.connect(new URL("http://perseus.athena.local:8080/hello_spnego.jsp"));


An error occurred at line: 21 in the jsp file: /hello_delegate.jsp SpnegoHttpURLConnection cannot be resolved to a type
18: out.print(creds.getName().toString());
19:
20: SpnegoHttpURLConnection spnego =
21: new SpnegoHttpURLConnection(creds);
22:
23: spnego.connect(new URL("http://perseus.athena.local:8080/hello_spnego.jsp"));
24:


Stacktrace:
org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:103)
org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:366)
org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:468)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:378)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:353)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:340)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:657)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:357)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
Coordinator
May 5, 2014 at 10:31 AM
Hello

I do not use this solution because the administrators of active directory do not like it: The account used becomes dangerous . Some clients could have a powerfull account.

To use delegation, you must change a parameter on the account used by tomcat. The account must be trusted for delegation.

Did you put, on Active Directory, this parameter on the account used by tomcat with the solution spnego.sourceforge.net?

Dominique
May 5, 2014 at 1:15 PM
The account does have delegation rights, but I am using the tomcatspnego.codeplex.com solution.
Does that solution support delegation?
I was looking for a JSP example to perform the delegation with tomcatspnego.codeplex.com.
Do you have one?
Coordinator
May 6, 2014 at 3:53 PM
It is not possible to use delegation with tomcatspnego and negoserver
With negoserver, it would possible to modify the code of the Windows service. But, in this case, the code used by the delegation must be launch by Negoserver running on the Windows server.
With JNA, it will be possible ton add something. We obtain the groups of the user with the access token. But we must add something. And the version with JNA works only when tomcat is running on Windows.

You can see Waffle. It use JNA. But but it can only be used with tomcat running on Windows.
In fact, Waffle gives a solution on Windows to use the Kerberos or NTLM authentication in Java.

If tomcat is running on UNIX, You must use spnego.sourceforge.net.
You can also read the code of tomcat 7. It uses the delegation to read the groups of the user. The groups are found in Active Directory via the delegation.

In first, I wrote a solution with the the jdk 6, , something like the solution given by tomcat 7. But, Kerberos does not work when the client is on the same computer than the server. It was a problem with tomcat running with eclipse. And, it was difficult to find the groups in the kerberos Ticket. Difficult but possible.
So I wrote a solution with JNI. After I wrote a Windows service. This service could be used by tomcat running on unix.

After I developped a solution in java with GSSApi and after with SSPI in C and JNI, I wrote a doc in french.

I did not test the version spnego.sourceforge.net. I think that Negoserver is easier to use when tomcat is running on unix. But if you want delegation, it would be better to use the solution on sourceforge. But the configuration will not be easy.

Dominique
May 12, 2014 at 4:49 PM
Is it possible to use the Negoserver in both Windows and Linux implementations with delegation?
I think you said some code would have to change in the negoserver.
Is this a code change you have planned or can implement?
If not, can you point me to where the change(s) need to go?
Coordinator
May 15, 2014 at 4:41 PM
hello,

The level of impersonation is defined in the file Negoserver.cs, line 1851.
TokenImpersonation could be set to delegation
With level identification, the server can create an access token et find the privileges, the groups…. The server can also verify the rights of the client with AccessCheck.
With level Impersonation, the server can impersonate the identity of the client but only on the the local server.
With level Delegation, the server can impersonate the identity of the client on remote servers.

Line 1869, you find the WindowsIdentity of the client idclient.
You could use
using (WindowsImpersonationContext impersonatedUser = idclient.Impersonate())
{
…//executed with the identity of the client
}
or
WindowsImpersonationContext impersonatedUser = idclient.Impersonate())
//..
impersonatedUser.Undo()

The first solution is more secure: An exception could be thrown.

To test the possibility of delegation, you can change the level of Impersonation on the line 1851 and verify the authentication.

I could do that and send you the exe.

Dominique
Coordinator
May 16, 2014 at 4:35 PM
Hello,

I added a new file negoserver.exe with delegation.
You can try the authentication.
If it works, we could add the possibility to do something with the delegation.

Download negoserverdeleg.zip. I changed the line 1851 with TokenImpersonation.Delegation.
Dominique
May 28, 2014 at 4:50 PM
Edited May 28, 2014 at 4:59 PM
I tried it and it appears to work.
How can I configure what I am delegating to?
Any additional updates you need to make to the negoserver then?
Are your changes posted on this site?
Can I get the latest .cs file with those changes?
At the moment, I am looking here: https://tomcatspnego.codeplex.com/SourceControl/latest#tcp/dotnet/NegoServer.cs
...but I do not see the change(s) made.
Coordinator
Jun 1, 2014 at 6:23 AM
Edited Jun 1, 2014 at 6:47 AM
Hello
You can find the source code is in the file trunk22032014.zip.
I changed my PC. The old was broken. I send the zip but not the source via svn. I must do that.

You have to change on the line 1851 of negoserver.cs.
I use the impersonation with the level Impersonate. (In fact, it would be better to use TokenImpersonationLevel.Identity, because negosever use only the name of the client and the SIDs of his groups)

1)You have to replace TokenImpersonationLevel.Impersonation by TokenImpersonationLevel.Delegation.
2)The code used by the delegation must be on the line 1869.

There are many possibilities to add a configuration.
Do you want to call another HTTP server? a Ldap server?
What do you want impersonate with bthe level Delegation?

Dominique
Jun 2, 2014 at 11:26 AM
So the exe you provided in negoserverdeleg.zip already has the change for line 1851?
What (if anything) was changed on 1869 in your exe in negoserverdeleg.zip?
Is the idclient on 1869 what you would then pass onto another application or web service?

Are you able to also alter the code for the JNA version to handle delegation?
Coordinator
Jun 13, 2014 at 1:01 PM
Hello,
Excuse...I was not at home.

When the user is authenticated, the context is used to find the name and the groups of the user. After, all the context is disposed. The name and the groups are conserved in the principal. When there is a session, tomcat add the principal to the session.

I have to modify the code to keep the identity and after you will have to impersonate before to call the service.
All the solutions can be used (JNA, JNI or TCP).
But, to help you, I must know what do you want to do. I must dispose the Identity else the service will not be scalable.
For instance, the server call another server via http and after the identity can be disposed.

You can also use Waffle. It gives a solution to do Windows authentication with java. It can be used without HTTP.
SSPI is used so Waffle can only be used on Windows.

Do you want a solution with tomcat on Windows?

Dominique