tags:

views:

200

answers:

1
Q: 

Impersonating a user from a Java Servlet

Given a Java Servlet (running on a Windows server) which creates a new process via ProcessBuilder, what are my options for having that new process run as the user who invoked the original web request to the servlet?

To clarify, what I want is that something like 

ProcessBuilder pb = new ProcessBuilder("whoami");
Process p = pb.start();
// p.getOutputStream() should contain the name of the remote user,
// not the user running the app server

And the real goal is to perform some security checks (say, to see if the user if able to open a file, or view such-and-such record in an internal enterprise system).

Clearly the user will need to be authenticated somehow, either by the app server or the java code - Ideally I'd like that to be in some way that works with single sign on (i.e. without the user entering a password), and it's fine if the solution works only from Windows clients who are already logged onto a domain (though even better if that's not a restriction). I'm currently using Jetty as the app server, but switching to something else would certainly be a viable option if necessary.

(If it helps to clarify, I'm basically looking to replace a CGI script which currently uses IIS's impersonation features to run in the context of the user making the request)

+1  A: 

Your only option is going to be JNI, or some wrapper around JNI like JNA. You will need to call O/S APIs to change your effective credentials, which will also require the application server to run as administrator - which is itself a significant security consideration.

I don't know specifically about Windows APIs, but most O/S's have the ability for a sufficiently powerful profile (admin/root) to assume the identity of any user profile without needing the password. Otherwise, usually the only way to acquire a user profile token is to present legitimate authentication credentials for that profile.

One thing to be careful of is to ensure that you change the credentials for the thread, not the entire process.

Software Monkey  2010-02-23 04:20:05
Thanks - As far as I've been able to find, there is not a way for administrator to become another user without credentials (CreateProcessWithLogonW and CreateProcessWithTokenW seem to be the Win32 way, and both require credentials), so I guess my question is how to arrange to have them or avoid needing them.Using JNI calls to actually fork the process is certainly an option if I can arrange everything else.
Matt Sheppard  2010-02-23 22:32:41
Oh, and if the username and password were available, something like MiniRunAs would probably do the trick for me, avoiding the need for JNI - http://stackoverflow.com/questions/362198/how-can-i-create-a-new-process-with-another-user-account-on-windows/2308947#2308947
Matt Sheppard  2010-02-23 22:35:22

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)