这个华夫饼干SSO的例子是做什么的 [英] What is this Waffle SSO example doing
问题描述
我正在尝试在Windows上实现SSO(在Java中)。最近我发现这个例子完全符合我的想法 Waffle :
I'm trying to implement a SSO on Windows (in Java). Recently I discovered this example doing exactly what I want to do with Waffle:
// client credentials handle
IWindowsCredentialsHandle credentials= WindowsCredentialsHandleImpl.getCurrent("Negotiate");
credentials.initialize();
// initial client security context
WindowsSecurityContextImpl clientContext = new WindowsSecurityContextImpl();
clientContext.setPrincipalName(Advapi32Util.getUserName());
clientContext.setCredentialsHandle(credentials.getHandle());
clientContext.setSecurityPackage(securityPackage);
clientContext.initialize();
// accept on the server
WindowsAuthProviderImpl provider = new WindowsAuthProviderImpl();
IWindowsSecurityContext serverContext = null;
do {
if (serverContext != null) {
// initialize on the client
SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, serverContext.getToken());
clientContext.initialize(clientContext.getHandle(), continueToken);
}
// accept the token on the server
serverContext = provider.acceptSecurityToken(clientContext.getToken(), "Negotiate");
} while (clientContext.getContinue() || serverContext.getContinue());
System.out.println(serverContext.getIdentity().getFqn());
for (IWindowsAccount group : serverContext.getIdentity().getGroups()) {
System.out.println(" " + group.getFqn());
}
...
这个例子很简单,它工作,它接缝做我想要的。但我不明白它是如何工作的。
The example is easy, it works and it seams to do exactly what I want. But I don't understand how it works.
- 后台发生了什么?
- Waffle是否从Windows获得Kerberos票证?
- 服务器如何验证客户端的票证?
- 我是否可以完全信任从服务器上下文执行do-loop
后得到的用户组?
- What is happening in the background?
- Does Waffle get the Kerberos ticket from Windows?
- How does the server validate the ticket of the client?
- Can I absolutely trust the user groups which I get after the do-loop from the server context?
谢谢。 Thomas。
Thanks. Thomas.
推荐答案
Waffle是否从Windows获得Kerberos票证?
Does Waffle get the Kerberos ticket from Windows?
Waffle使用Windows SSPI,它代表客户端执行涉及Kerberos票证的所有操作。客户端永远不会看到票证。
Waffle uses the Windows SSPI, which performs all operations involving Kerberos tickets on client's behalf. The client never sees the ticket.
服务器如何验证客户端的票证?
How does the server validate the ticket of the client?
这是一个基本的Kerberos问题。发送到服务器的令牌由服务器的密钥加密,这保证了令牌是由对客户端进行身份验证的票证授予服务创建的。
This is a basic Kerberos question. The token sent to the server is encrypted by server's secret key, which guarantees that the token was created by the Ticket Granting Service, which authenticated the client.
我可以完全信任从服务器上下文执行do循环后得到的用户组吗?
Can I absolutely trust the user groups which I get after the do-loop from the server context?
是,从安全令牌中检索。这是MIT Kerberos协议的Windows特定扩展。
Yes, the are retrieved from the security token. This is a Windows-specific extension of the MIT Kerberos protocol.
这篇关于这个华夫饼干SSO的例子是做什么的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
