spring-security-kerberos icon indicating copy to clipboard operation
spring-security-kerberos copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Add support for PAC decoding (SES-94)

Open saschaszott opened this issue 10 years ago • 2 comments

Hi folks,

are there plans to integrate the work that was done by Grant Cermak in https://jira.spring.io/browse/SES-94 to allow PAC decoding in order to get the granted authorities for an authenticated (AD) user? Currently, an additional request to the AD is required to get the granted authorities as the UserDetails object gets only the username from the Kerberos ticket (see method authenticate in class KerberosServiceAuthenticationProvider)

UserDetails userDetails = this.userDetailsService.loadUserByUsername(ticketValidation.username());

If an integration is not planned in the near future, could you provide a mean to access the token object (or ticketValidation object, respectively) that is instantiated in KerberosServiceAuthenticationProvider:

KerberosServiceRequestToken auth = (KerberosServiceRequestToken) authentication;
byte[] token = auth.getToken();
LOG.debug("Try to validate Kerberos Token");
KerberosTicketValidation ticketValidation = this.ticketValidator.validateTicket(token);

saschaszott avatar Jul 01 '15 10:07 saschaszott

Need to think about this. We just need to work with mit/ad kerberos implementations and can't break either ones. Naturally contributions are very welcome if you have good idea howto use that code base.

jvalkeal avatar Jul 03 '15 12:07 jvalkeal

Hi there,

I wanted to ask if there are any news regarding the implementation of the old PAC extension. Because our company is developing a software which makes intensive use of Spring and Spring Security in particular.

More than 90% of our customers use Kerberos with their Active Directory implementation (which includes PAC) of Microsofts Kerberos.

In most situations the standard Spring Security Code worked just fine (without the PAC extension). But we have several customers where we are having trouble without PAC (as long as PAC and Kerberos where a Spring extension we used both!).

The reason for that is, that in this particular case, the user have tons and tons of group memberships which significantly increases the Kerberos header.

If we use the Spring Security Core Code (with Kerberos) we get an error message (I can share details if someone is interested). If we use the legacy extension including PAC everything works just fine (nothing changed in the environment or the config).

So it would be a huge improvement for us, if you could also include PAC into the Spring Security Core code as you have done this with the Keberos extension.

Thanks in advance René

hlpinform avatar Sep 09 '16 08:09 hlpinform