Browse files

Added the long promised history.

  • Loading branch information...
1 parent 1a99363 commit d87e6da7504b9c840ab4571cbb6d55c3284503ab @dblock dblock committed Jul 9, 2012
Showing with 15 additions and 0 deletions.
  1. +15 −0
@@ -0,0 +1,15 @@
+Waffle: The Long Story
+We, [AppSecInc.](, had a pickle.
+Our application, written in Java and running exclusively on Windows, needed Windows authentication. We started with FORMS and had no idea how to do this. After logon we wanted to get the logged on user and his group memberships.
+* We got the username and used it for permissions. This was wrong because the username can change. We should have used the SID, but that was harder to get.
+* We enumerated local groups to find out group members. Then we used group names for permissions. This was wrong because group names change. We should have used the group SIDs.
+From local users we extended this to support Active Directory. We made another fatal mistake. We attempted to enumerate domain groups via LDAP to find out those that the user is a member of. This was wrong because it ignores domain trusts. This was also very hard because groups can be nested (we never got it to work that way).
+From Active directory Support we wanted to do single-sign-on. We couldn't do it, so we went back to the drawing board.
+Waffle is all of the above done right, open-source and free.

0 comments on commit d87e6da

Please sign in to comment.