This discussion is archived
4 Replies Latest reply: Oct 10, 2011 4:04 AM by 680524 RSS

How to get the username/password of the current owner of the running code

680524 Newbie
Currently Being Moderated
Dear friends,

Our product is running on the App Server(weblogic/websphere...) and we also use security provider(OpenLDAP) and kerberos to support SSO. Before, when a user tyies to login in the first time, the way we use to authenticate the user is:
1) Accept the username/password
2) Query the security provider(OpenLDAP) to get the principles.
3) verity if the username/password is corrent or not.

As we know, to query the principles, we need to provide a search user(both username and password) if we configured the access control of the ldap server:
I have configured my envirioment as follows
1) In the LDAP server, configured the Middle Tire user(The Operating System user running the App Server) to have the permission to query principles.
2) The server is configured to runing on SSO envirioment.

My question is could I get the username/password of the OS user running the App Server at runtime so that I can query the ldap server without explicitly providing the search user?

Thanks,
RR

Edited by: Ricky Ru on Oct 9, 2011 1:50 AM
  • 1. Re: How to get the username/password of the current owner of the running code
    EJP Guru
    Currently Being Moderated
    You can almost certainly not get the password, and if you can it is a sure sign that the system you are using is insecure. The way to verify the password with an LDAP server is to attempt an 'LDAP bind' as that user. In JNDI terms that means setting the authentication principal and credentials as environment properties of the context and attempting context.reconnect().
  • 2. Re: How to get the username/password of the current owner of the running code
    680524 Newbie
    Currently Being Moderated
    I might not describe clearly. The puspose is that in SSO enviroment, we want to use the Middle Tire Credential to search the principles from ldap server which is configured to allowed that. The question is that how to use the Middle Tire Credential at runtime. Could you specify your thoughts? Thanks.
  • 3. Re: How to get the username/password of the current owner of the running code
    EJP Guru
    Currently Being Moderated
    My thoughts are exactly the same. Unless you configure LDAP with plaintext passwords, which is strongly deprecated on security grounds, you can't get the user's password, because it is hashed, one way or another. So you have to do what I said. If this is for SSO you have to organize all the SSO subsystems to rely on the same LDAP authentication.
  • 4. Re: How to get the username/password of the current owner of the running code
    680524 Newbie
    Currently Being Moderated
    Thanks EJP.

    I have made some progress on this. But I have met another issue.
    *1) Using JAAS to login.*
    loginContext.login();
                   Subject subject = loginContext.getSubject();
                   ldapContext = (LdapContext) Subject.doAs(subject, this);
    *2) Init the ldapContext to use the GSSAPI authentication*
    // this is called automatically by login()
         public Object run() {
              Hashtable ldapEnv = new Hashtable();
              ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
              ldapEnv.put(Context.PROVIDER_URL, "ldap://9.30.215.197");
              
              ldapEnv.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
              ldapEnv.put(Context.SECURITY_PRINCIPAL,"");
              ldapEnv.put(Context.SECURITY_CREDENTIALS,"");
              //System.setProperty("sun.security.krb5.debug", "false");
              // This tells the GSS-API to use the cached ticket as
              // credentials, if it is available
              System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");     
              try {
                   InitialLdapContext ctx = new InitialLdapContext(ldapEnv,null);

    But I got the following exception when excuting new InitialLdapContext(ldapEnv,null);

    Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    Principal is Cserver@CSSO.COM
    Commit Succeeded

    javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]]
         at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
         at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
         at LDAPKerbService.run(LDAPKerbService.java:66)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAs(Subject.java:337)
         at LDAPKerbService.login(LDAPKerbService.java:40)
         at LDAPKerbService.main(LDAPKerbService.java:82)
    Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))]
         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
         at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
         ... 16 more
    Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
         at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
         at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
         ... 17 more
    Caused by: KrbException: Integrity check on decrypted field failed (31)
         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
         at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
         at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
         at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
         at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
         at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
         ... 20 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
         at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
         at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
         ... 25 more

    Do you have any clue on this? Thanks.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points