java票证管理办法,使用Java中的kerberos票证获取AD组

I am obtaining a kerberos ticket with the following code:

String client = "com.sun.security.jgss.krb5.initiate";

LoginContext lc = new LoginContext(client, new CallbackHandler() {

@Override

public void handle(Callback[] arg0) throws IOException, UnsupportedCallbackException {

System.out.println("CB: " + arg0);

}

});

lc.login();

System.out.println("SUBJ: " + lc.getSubject());

This code works fine, I get a subject that shows my user ID. The problem I'm having is now I need to know whether the user belongs to a certain group in AD. Is there a way to do this from here?

I've seen code to get user groups using LDAP but it requires logging in with a user/password, I need to do it the SSO way.

解决方案

You cannot actually do this with the kind of ticket you get at login. The problem is that the Windows PAC (which contains the group membership information) is in the encrypted part of the ticket. Only the domain controller knows how to decrypt that initial ticket.

It is possible to do with a service ticket.

So, you could set up a keytab, use jgss to authenticate to yourself and then decrypt the ticket, find the PAC, decode the PAC and then process the SIDs. I wasn't able to find code for most of that in Java, although it is available in C. Take a look at this for how to decrypt the ticket.

Now, at this point you're talking about writing or finding an NDR decoder, reading all the specs about how the PAC and sids are put together, or porting the C code to Java.

My recommendation would be to take a different approach.

Instead, use Kerberos to sign into LDAP. Find an LDAP library that supports Java SASL and you should be able to use a Kerberos ticket to log in.

If your application wants to know the groups the user belongs to in order to populate menus and stuff like that, you can just log in as the user.

However, if you're going to decide what access the user has, don't log in as the user to gain access to LDAP. The problem is that with Kerberos, an attacker can cooperate with the user to impersonate the entire infrastructure to your application unless you confirm that your ticket comes from the infrastructure.

That is, because the user knows their password, and because that's the only secret your application knows about, the user can cooperate with someone to pretend to be the LDAP server and claim to have any access they want.

Instead, your application should have its own account to use when accessing LDAP. If you do that, you can just look up the group list.

I do realize this is all kind of complex.