Kerberos and REST

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos and REST

Imanuel Greenfeld
 

Hello

 

I am a C++ developer working on a project in industry.

 

I have a Windows client which the user submits requests with.

 

These requests are then sent to a backend process running in the background
on Sun Solaris waiting to process those requests.

 

I then need to take each of those requests and authenticate using Kerberos
to gain access to a different server to get a response.

 

Once I go through the Kerberos authentication, I need to submit a JSON
message using REST.  For this I'm using gSoap.

 

Reading about Kerberos it seems that the client needs to get the Token and
then send with the private encrypted password.  However, the problem is that
once the request been submitted from the user, the client is out of the
picture - I cannot send anything back to it or store anything in it.

 

I am hoping that I can send the REST call along with the Kerberos
authentication in one go.  For example :-

 

               .

               soap *ctx = soap_new1(SOAP_C_UTFSTRING);  // set up context
to manage memory

  const char *endpoint = "https://...";

  value req(ctx), res(ctx);                 // new JSON values req and res

  req = "getCurrentTime";                   // request current time

  json_call(ctx,                            // make a call (POST)

      endpoint,                             // the service endpoint URL

      req,                                  // value with the request string

      res)                                  // response, if call is OK

  );

.

 

So, in  json_call I'd like to incorporate in the ctx the Kerberos
authentication.

 

Is that possible ?

 

Any other suggestions please ?

 

Do you have any C++ examples showing how to implement Kerberos ?

 

Many thanks in advance.

 

Imanuel.

 

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and REST

Benjamin Kaduk-2
It sounds like you are trying to come up with a scheme where the
user credentials are transmitted to this REST server, and the REST
server then uses the user's credentials to authenticate some backend
requests made by the REST server while processing the body of the
REST request.  This is, in effect, trusting the REST server to
not misabuse the user's credentials that are given to it with the
request.

There are some technical means that can somewhat reduce the scope of
the user's credentials that are transmitted (please, please, please
do not transmit the raw password!), but it may be worth taking a
step back and questioning whether the user's credentials are really
needed.  That is, if the REST service is sufficiently trusted to be
allowed to handle user credentials, why could it not have
credentials of its own that are then used to authenticate the
backend requests?  That would eliminate the need for the actual
user's credentials to be given to the REST server, which is probably
more secure for the user.

There are potentially fancier mechanisms that could be used that do
not directly give the REST server full authorization and instead
require it to present proof that the user has authenticated to it,
before being granted the needed tightly scoped credential by yet
another service.  But it's not clear that such complications are
really needed -- from what you describe, it might be fine to give
the REST server its own kerberos credentials and just use that to
authenticate backend requests.

-Ben

On Thu, Dec 07, 2017 at 07:21:16AM +0000, Imanuel Greenfeld wrote:

>  
>
> Hello
>
>  
>
> I am a C++ developer working on a project in industry.
>
>  
>
> I have a Windows client which the user submits requests with.
>
>  
>
> These requests are then sent to a backend process running in the background
> on Sun Solaris waiting to process those requests.
>
>  
>
> I then need to take each of those requests and authenticate using Kerberos
> to gain access to a different server to get a response.
>
>  
>
> Once I go through the Kerberos authentication, I need to submit a JSON
> message using REST.  For this I'm using gSoap.
>
>  
>
> Reading about Kerberos it seems that the client needs to get the Token and
> then send with the private encrypted password.  However, the problem is that
> once the request been submitted from the user, the client is out of the
> picture - I cannot send anything back to it or store anything in it.
>
>  
>
> I am hoping that I can send the REST call along with the Kerberos
> authentication in one go.  For example :-
>
>  
>
>                .
>
>                soap *ctx = soap_new1(SOAP_C_UTFSTRING);  // set up context
> to manage memory
>
>   const char *endpoint = "https://...";
>
>   value req(ctx), res(ctx);                 // new JSON values req and res
>
>   req = "getCurrentTime";                   // request current time
>
>   json_call(ctx,                            // make a call (POST)
>
>       endpoint,                             // the service endpoint URL
>
>       req,                                  // value with the request string
>
>       res)                                  // response, if call is OK
>
>   );
>
> .
>
>  
>
> So, in  json_call I'd like to incorporate in the ctx the Kerberos
> authentication.
>
>  
>
> Is that possible ?
>
>  
>
> Any other suggestions please ?
>
>  
>
> Do you have any C++ examples showing how to implement Kerberos ?
>
>  
>
> Many thanks in advance.
>
>  
>
> Imanuel.
>
>  
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos and REST

Imanuel Greenfeld
Thank you Ben for the information.

I downloaded Kerberos .gz from your web site and built the libraries.

I'm looking at sclient and sserver.

When I run sclient with <target server> <port 80> then I'm getting
Connected.

But when I run sserver nothing happens.

Any ideas what I'm doing wrong please ?

I'm running on Sun Solaris.

I'm just trying at this stage to prove a concept.

Thanks

Imanuel.


-----Original Message-----
From: Benjamin Kaduk [mailto:[hidden email]]
Sent: 08 December 2017 00:39
To: Imanuel Greenfeld <[hidden email]>
Cc: [hidden email]
Subject: Re: Kerberos and REST

It sounds like you are trying to come up with a scheme where the user
credentials are transmitted to this REST server, and the REST server then
uses the user's credentials to authenticate some backend requests made by
the REST server while processing the body of the REST request.  This is, in
effect, trusting the REST server to not misabuse the user's credentials that
are given to it with the request.

There are some technical means that can somewhat reduce the scope of the
user's credentials that are transmitted (please, please, please do not
transmit the raw password!), but it may be worth taking a step back and
questioning whether the user's credentials are really needed.  That is, if
the REST service is sufficiently trusted to be allowed to handle user
credentials, why could it not have credentials of its own that are then used
to authenticate the backend requests?  That would eliminate the need for the
actual user's credentials to be given to the REST server, which is probably
more secure for the user.

There are potentially fancier mechanisms that could be used that do not
directly give the REST server full authorization and instead require it to
present proof that the user has authenticated to it, before being granted
the needed tightly scoped credential by yet another service.  But it's not
clear that such complications are really needed -- from what you describe,
it might be fine to give the REST server its own kerberos credentials and
just use that to authenticate backend requests.

-Ben

On Thu, Dec 07, 2017 at 07:21:16AM +0000, Imanuel Greenfeld wrote:

>  
>
> Hello
>
>  
>
> I am a C++ developer working on a project in industry.
>
>  
>
> I have a Windows client which the user submits requests with.
>
>  
>
> These requests are then sent to a backend process running in the
> background on Sun Solaris waiting to process those requests.
>
>  
>
> I then need to take each of those requests and authenticate using
> Kerberos to gain access to a different server to get a response.
>
>  
>
> Once I go through the Kerberos authentication, I need to submit a JSON
> message using REST.  For this I'm using gSoap.
>
>  
>
> Reading about Kerberos it seems that the client needs to get the Token
> and then send with the private encrypted password.  However, the
> problem is that once the request been submitted from the user, the
> client is out of the picture - I cannot send anything back to it or store
anything in it.

>
>  
>
> I am hoping that I can send the REST call along with the Kerberos
> authentication in one go.  For example :-
>
>  
>
>                .
>
>                soap *ctx = soap_new1(SOAP_C_UTFSTRING);  // set up
> context to manage memory
>
>   const char *endpoint = "https://...";
>
>   value req(ctx), res(ctx);                 // new JSON values req and res
>
>   req = "getCurrentTime";                   // request current time
>
>   json_call(ctx,                            // make a call (POST)
>
>       endpoint,                             // the service endpoint URL
>
>       req,                                  // value with the request
string

>
>       res)                                  // response, if call is OK
>
>   );
>
> .
>
>  
>
> So, in  json_call I'd like to incorporate in the ctx the Kerberos
> authentication.
>
>  
>
> Is that possible ?
>
>  
>
> Any other suggestions please ?
>
>  
>
> Do you have any C++ examples showing how to implement Kerberos ?
>
>  
>
> Many thanks in advance.
>
>  
>
> Imanuel.
>
>  
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos and REST

Benjamin Kaduk-2
On Fri, Dec 08, 2017 at 06:39:56AM +0000, Imanuel Greenfeld wrote:

> Thank you Ben for the information.
>
> I downloaded Kerberos .gz from your web site and built the libraries.
>
> I'm looking at sclient and sserver.
>
> When I run sclient with <target server> <port 80> then I'm getting
> Connected.
>
> But when I run sserver nothing happens.
>
> Any ideas what I'm doing wrong please ?

If you want to use sserver as an example and familiarize yourself
with how things work, starting with its manual page seems
reasonable:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/sserver.html

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Kerberos and REST

Imanuel Greenfeld
Hello Ben,

Thanks for the information.

I managed to get a TGT from the KDC using basic Unix shell script and pass
Kerberos authentication.

Do you know if there is a way to pass this ticket to a process that is
sending JSON messages using gSoap ?  In other words, as part of the
json_call() I need to pass this ticket for authorisation.

 Can you help ?

Many thanks

Imanuel.




-----Original Message-----
From: Benjamin Kaduk [mailto:[hidden email]]
Sent: 09 December 2017 02:32
To: Imanuel Greenfeld <[hidden email]>
Cc: [hidden email]
Subject: Re: Kerberos and REST

On Fri, Dec 08, 2017 at 06:39:56AM +0000, Imanuel Greenfeld wrote:

> Thank you Ben for the information.
>
> I downloaded Kerberos .gz from your web site and built the libraries.
>
> I'm looking at sclient and sserver.
>
> When I run sclient with <target server> <port 80> then I'm getting
> Connected.
>
> But when I run sserver nothing happens.
>
> Any ideas what I'm doing wrong please ?

If you want to use sserver as an example and familiarize yourself with how
things work, starting with its manual page seems
reasonable:
http://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/sserver.htm
l

-Ben

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos