javawindowsgroovykerberoswaffle

jna-Waffle interact with windows kerberos ticket cache?


we have a windows client app that use a groovy script to interact with a webapi server using spnego as authentication. This script use the waffle lib to query a new kerberos tokens, every time. Question: is it possible to use the windows cache to save/retrieve token ? If so, how to get token time validity ?

I did not find information about this in the doc: https://github.com/Waffle/waffle Actual script that request the token, in case it helps anyone.

String securityPackage = 'Negotiate'
String spnTarget = 'HTTP/dummy.serve'
IWindowsSecurityContext ctx = WindowsSecurityContextImpl.getCurrent(securityPackage, spnTarget)
byte[] token = ctx.getToken()
String token64 = Base64.getEncoder().encodeToString(token)

Solution

  • Question: is it possible to use the windows cache to save/retrieve token ?

    These tokens are single-use and it does not make sense to cache them.

    Do not confuse tokens with tickets – the Kerberos ticket is the cacheable object, retrieved over network and automatically cached by Windows whenever the program creates the SSPI context, while the token is produced from the ticket locally and is one-time only.

    If you look at the output of klist you will likely see the ticket for HTTP/dummy.serve already cached there. (Specifically C:\Windows\System32\klist.exe – not to be confused with MIT Krb5 klist or Java klist or Oracle klist.)

    Kerberos tickets are not like bearer tokens; they come with a private part (session key) which is used to generate a fresh "authenticator" for every context. The token you obtain from SSPI is a combination of the cached ticket and the one-time authenticator.

    So if you're using Kerberos with HTTP, your example is the normal way of doing things – since HTTP is stateless, each request involves creating a new SSPI context and getting a fresh token. The first context will cause Windows to acquire and automatically cache the ticket; subsequent contexts will use the cached ticket to generate new tokens.

    If so, how to get token time validity ?

    Kerberos tokens don't really have such a concept, given that they're invalidated on first use.

    Although technically speaking an unused token would remain valid for as long as its respective ticket is valid, it doesn't make much sense to hoard unused tokens for later use – just get a fresh one from SSPI when you need one, otherwise you'd be duplicating the work SSPI already does.

    As for the ticket, its validity usually shouldn't matter to the client software (Windows takes care of renewals), but in case it does matter, you should be able to get that information from the context's clientLifetime property (or similar – I couldn't quite decipher the Waffle source code).