Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JAAS logon with GroupName (not FQN) for local (or remote) computer #1145

Open
eekodeerder opened this issue Jan 5, 2021 · 5 comments
Open

Comments

@eekodeerder
Copy link
Contributor

eekodeerder commented Jan 5, 2021

Currently two methods for translating Windows Groups to Application Roles are defined in Waffle: SID and FQN.

There is a use case where using neither the SID or the FQN is possible. The typical case would be where an application defines application roles and we want a Windows Group management system to supply the roles in which the User may operate.

A typical example is Tomcat. Tomcat defines user roles such as "admin-gui" and "manager-gui" to identify access rights.

With the current implementation(s) which only support SID and FQN, it is not possible to administer these roles through Windows Group administration, as the current Waffle implementation only supports the group names inside a domain, adding the local computer name as the domain for groups defined on the local computer. This means the roles supplied by waffle for a group named "admin-gui" would be "LOCAL_COMPUTER\admin-gui" or "DOMAIN\admin-gui", neither of which identify the user as having the "admin-gui" role required by the application.

The capability to use Group Names as role names directly was removed when the code was moved to support the FQN and was not brought back when the SID was added as an option. This limits the use to application role names which are bound to security domain names. There may be reasons for this which I do not understand.

I have not been able to find a way to map security domain groups to application security roles (which typically should not be domain constrained). Is there a way to do this?

If not, I am willing to look at options for adding the capability to use unqualified Windows group names as Role name in addition to using the FQN and SID.

Adding this capability will not be limited to JAAS.

@eekodeerder eekodeerder changed the title JAAS logon with GroupName (not FQN) for local computer JAAS logon with GroupName (not FQN) for local (or remote) computer Jan 5, 2021
@eekodeerder
Copy link
Contributor Author

This issue is similar to Issue #853.

@dblock
Copy link
Collaborator

dblock commented Jan 5, 2021

Thanks for the detailed explanation.

The capability to use Group Names as role names directly was removed when the code was moved to support the FQN and was not brought back when the SID was added as an option. This limits the use to application role names which are bound to security domain names. There may be reasons for this which I do not understand.

If you pull up the commit links @hazendaz or myself can try to rack the back of our brains to remember why. I am going to guess that the goal here was to only allow what Windows allows and nothing more.

I have not been able to find a way to map security domain groups to application security roles (which typically should not be domain constrained). Is there a way to do this?

I don't believe so.

If not, I am willing to look at options for adding the capability to use unqualified Windows group names as Role name in addition to using the FQN and SID.

This sounds right. Thanks.

@eekodeerder
Copy link
Contributor Author

eekodeerder commented Jan 19, 2021

I cannot find code pre 2015. It worked with simple names on Windows 95 and Windows NT, not using the computer name. This is irrelevant. To be compatible with Windows 95 and Windows NT, it must have used the compatble names.

A simple way to add this for JAAS would be to add a WindowsLoginModule option defining domain names for which group names should be mapped to role names. This could be in addition to to the existing FQN and SID options for groups to roles. In other words you could specify NONE for the roleFormat and if you specify domains for which groups should be mapped, you will only get the names of the groups in that domain as role names. I propose a mapRolesFromDomainGroups option. this will be a comma-delimited list of domain names to map. When creating roles, we inspect the Account.domain for the group.

Another option would be to make a distinction between GroupPrincipals and RolePrincipals. The JAASRealm can then be instructed which ones to use. I believe it is not only less efficient, but will also be a breaking change.

A third option would be the complete solution, but requires access to a file (or string) which specifies specific mappings from Groups to Roles. It is a lot more work and more difficult to configure, albeit comprehesive. This option is not mutually exclusive with the first option.

An alternative would be to create a new LoginModule class, but I don't think it is necessary if we use the first option.

@dblock
Copy link
Collaborator

dblock commented Jan 19, 2021

Here's some code from 2010 from an archive, if anyone is interested

waffle.zip

I can dig up a better copy, and a more recent one, this one is from some build artifact.

also codeplex archive

@eekodeerder
Copy link
Contributor Author

I am currently adding the capability to get the security role names from the group names without domain name only for the JAAS WindowsLoginModule. The translation from groups to roles appears in many places in the code base (Tomcat (all versions), Jakarta, etc). Unfortunately these are all copy and paste re-use (because they are different projects) and it is therefore a lot of work to add this to all of these projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants