Daniel Doubrovkine bio photo

Daniel Doubrovkine

aka dB., @awscloud, former CTO @artsy, +@vestris, NYC

Email Twitter LinkedIn Github Strava
Creative Commons License

A generous contributor (Nicolas Guillaumin, @nguillaumin) who works for a company called Funnelback, has committed the much requested impersonation support to Waffle. This is pretty exciting, since it fills in a bunch of squares in the puzzle that we’re trying to assemble with the Waffle project.

I tried it out with build 1.4.1744.0.

First, there’s a line of code in the index.jsp that displays the current Windows thread identity by calling a Win32 API via JNA.

You are logged in as remote user <b><%= request.getRemoteUser() %></b> in session <b><%= session.getId() %></b>.<br>
You are impersonating user <b><%= Secur32Util.getUserNameEx(Secur32.EXTENDED_NAME_FORMAT.NameSamCompatible) %></b>.

I have two users, dblock-gray\dblock and dblock-gray\test. I am running the Tomcat server as dblock-gray\dblock _and am browsing to it logged in as _dblock-gray\test. Without impersonation I see the following.

dblock-user

This means that while I am logged in as the test user (request.getRemoteUser() returns dblock-gray\test), the Windows thread identity is the same one as of the Tomcat server (dblock-gray\dblock).

Let’s add impersonate into web.xml.

<filter>
  <filter-name>SecurityFilter</filter-name>
  <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
  <init-param>
    <param-name>impersonate</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>

Tomcat now impersonates dblock-gray\test.

test-user

This is great news: I can now operate on behalf of dblock-gray\test to, for example, access files that test owns on the server. Also note that this is the default behavior of IIS when you enable Windows Authentication and we’re now accomplishing the same with Tomcat or any other servlet-compliant server.