从Java Servlet模拟用户 [英] Impersonating a user from a Java Servlet

问题描述

鉴于Java Servlet（在Windows服务器上运行）通过ProcessBuilder创建一个新进程，我有什么选择让新进程作为调用servlet原始Web请求的用户运行？

Given a Java Servlet (running on a Windows server) which creates a new process via ProcessBuilder, what are my options for having that new process run as the user who invoked the original web request to the servlet?

为了澄清，我想要的是类似

To clarify, what I want is that something like

ProcessBuilder pb = new ProcessBuilder("whoami");
Process p = pb.start();
// p.getOutputStream() should contain the name of the remote user,
// not the user running the app server

真正的目标是执行一些安全检查（例如，查看用户是否能够打开文件，或在内部企业系统中查看此类记录）。

And the real goal is to perform some security checks (say, to see if the user if able to open a file, or view such-and-such record in an internal enterprise system).

显然，用户需要通过应用程序服务器或java代码以某种方式进行身份验证 - 理想情况下我希望以某种方式进行身份验证单点登录（即没有用户输入密码），如果解决方案仅适用于已经登录到域的Windows客户端（如果不是限制，则更好）。我目前正在使用Jetty作为应用服务器，但如果有必要，切换到其他东西肯定是一个可行的选择。

Clearly the user will need to be authenticated somehow, either by the app server or the java code - Ideally I'd like that to be in some way that works with single sign on (i.e. without the user entering a password), and it's fine if the solution works only from Windows clients who are already logged onto a domain (though even better if that's not a restriction). I'm currently using Jetty as the app server, but switching to something else would certainly be a viable option if necessary.

（如果它有助于澄清，我是基本上希望替换当前使用IIS的模拟功能的CGI脚本在发出请求的用户的上下文中运行。

(If it helps to clarify, I'm basically looking to replace a CGI script which currently uses IIS's impersonation features to run in the context of the user making the request)

推荐答案

项目 Waffle 将（几乎）在那里。它实施了SSO和模拟。

Project Waffle will get you (almost) there. It has SSO and impersonation implemented.

这篇关于从Java Servlet模拟用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！