All geek questions in one place

Impersonating a user from a Java servlet

Given the Java Servlet (runs on a Windows server) that creates a new process through ProcessBuilder, what are my options for starting this new process as the user who called the original web request for the servlet?

To clarify, I want something like

ProcessBuilder pb = new ProcessBuilder("whoami"); Process p = pb.start(); // p.getOutputStream() should contain the name of the remote user, // not the user running the app server

And the real goal is to perform some security checks (for example, see if a user can open a file or view a certain record in the internal corporate system).

Obviously, the user needs to somehow authenticate with either the application server or Java code. Ideally, I would like it to be in some way that works with one character (i.e., without entering a password by the user) and this is fine if the solution works only with Windows clients that are already logged into the domain (although even better if this is not a limitation). I am currently using Jetty as an application server, but if necessary, switching to something else will certainly be a viable option.

(If this helps clarify, I basically want to replace the CGI script, which currently uses the IIS impersonation functions to run in the context of the user making the request)

+2
source share
2 answers

The Waffle project will get you (almost) there. It has an SSO and is implemented by impersonation.

+6
source

The only option is a JNI or some kind of wrapper around a JNI, such as JNA. You will need to call the O / S API to change your credentials, which will also require the application server to run as an administrator, which in itself is a serious security consideration.

I don’t know specifically about the Windows API, but most O / S has the ability for a fairly powerful profile (admin / root) to accept the identity of any user profile without requiring a password. Otherwise, as a rule, the only way to get a user profile token is to provide legitimate credentials for this profile.

One thing to keep in mind is to make sure that you change the credentials for the thread, not the entire process.

+1
source

Source: https://habr.com/ru/post/1244930/

More articles:


All Articles