UAC in Java

Weijun Wang weijun.wang at oracle.com
Mon Nov 7 23:56:52 UTC 2011 

Hi Dennis

I recently had some casual talk with a customer and he would like Java 
to be able to work with Windows UAC nicely. We imagined two ways to do this:

1. The whole webstart app in "elevated" mode:

There can be a special flag in the JNLP file. It can take a value of 
"elevated" or "run-as-admin". When JRE sees it, it pops out a dialog and 
then run the whole app in the requested mode.

2. Run part of an app in "elevated" mode:

Grammatically, this would looks like the AccessController.doPrivileged 
method, say

    // normal user mode
    doUAC(new PrivilegedAction() {
       public void run() {
           // do administrative jobs
       }
    });

but I doubt if this is possible. First, this doUAC will be a very 
Windows-only concept and I don't how to express this in a Java preferred 
way. Second, the running context of normal mode and elevated mode are 
quite isolated from each other and I wonder how to pass arguments or 
result between them. Maybe serialization?

Any comment?

Thanks
Max

On 11/07/2011 08:00 PM, Henning Horst wrote:
> Hi Max,
>
> thanks for your prompt reply. And sorry for being unclear.
>
> Users with local administrative Windows 7 / Vista accounts that are also
> member of the AD domain do not seem to be able to do Kerberos
> negotiation. In the actual situation we have a Java app that is started
> with webstart. It is an terminal emulator which then connects via
> kerberized SSH to a kerberos capable SSH server. All types of Windows
> users are able to run java webstart and start the application. When an
> SSH connection is to be established from within the application however,
> the Kerberos part of the connection establishment is only successful for
> regular users. For local admin users within the domain the Kerberos
> handshake via JGSS results in an "Integrity check on decrypted field
> failed" error.
>
> In contrast to starting the application via the browser (which then
> calls java ws), if the same administrators run javaws with "Run as
> Administrator" from the CMD the app launches successfully (as before)
> and they can connect to the kerberized SSH server successfully (in
> contrast to the integrity check on decrypted field failed error when not
> running javaws with runas).
>
> When running the "Standard User Analyser" which is recommended by the
> MSDN article
>
> http://msdn.microsoft.com/en-us/library/bb530410.aspx
>
> describing the UAC "feature" it shows that administrative privileges
> seem to be required to access the Kerberos Ticket of a local
> administrator within the domain (please see image attached).
>
> So this seems to correllate with the Windows "feature" that local admins
> cannot get the session key for the TGT you wrote about.
>
> It seems that with UAC domain users that are in the local admin group
> only have access to their Kerberos ticket(s) if they use "run as".
>
> During research I found e.g.
>
> http://mark.koli.ch/2009/12/uac-prompt-from-java-createprocess-error740-the-requested-operation-requires-elevation.html
>
> which shows a way how to work around this "feature" by calling a native
> program from within Java to trigger the UAC promt and do the privileged
> actions. But this should not be the solution, of course.
>
> So if Microsoft forces this UAC stuff I would think that it would be
> possible to trigger that UAC ask for permission dialog from within Java,
> say to do the following
>
> 1) run Java program as regular user
> 2) user requests task that requires admin privileges (e.g. to copy a
> file to the UAC protected "Program Files" directory)
> 3) Java application triggers UAC to ask user for permissions to switch
> to administrative user
> 4) Java app does privileged work
> 5) Java app throws away privileges after task has been completed
> successfully
>
>
> Maybe you know something more about the state of play regarding to that
> feature (domain users that also are in the local admin group cannot use
> Kerberos without "run as") and what Oracle will do about (if something).
>
> Maybe there is "just" a hidden switch to fix the issue with local admins
> within the AD domain not being able to do Kerberos handshakes with JGSS?
>
> Any help would be very appreciated!
>
> Thanks again and many regards,
>
> Henning
>
>
>
> On 11/07/2011 11:35 AM, Weijun Wang wrote:
>> Hi Henning
>>
>> I don't quite understand the problem here.
>>
>> What do you mean Windows administrators cannot run the program? So the
>> user is on a local admin group but also a member of an AD domain? I
>> don't know why the result is "Kerberos tickets cannot be accessed
>> correctly". There was a Windows "feature" that local admins cannot get
>> the session key for the TGT, is it still so?
>>
>> Anyway, I don't know a way to trigger UAC from within Java. If I
>> understand correctly, the UAC dialog pops out when some specific
>> UAC-related Win32 APIs (or, launch another process) are called. It's not
>> that you to use a normal API to access an admin-read-only file and
>> suddenly UAC is automatically triggered.
>>
>> If you are requesting for a general webstart feature (and not
>> specifically about JGSS), can you be a little more clear? I'll forward
>> the mail to the deployment team.
>>
>>
>> Thanks
>> Max
>>
>> On 11/07/2011 06:16 PM, Henning Horst wrote:
>>> Hi Max,
>>>
>>> some time ago we had some mails back and forth regarding using TCP for
>>> KDC communication in which I really appreciated your help and expertise.
>>>
>>> I am wondering if you could be so kind to give me a hint on the following:
>>>
>>> Due to our customers upgrading to Windows 7 we run into trouble with
>>> using Java Kerberos. This is because due to the new UAC feature of
>>> Windows, Windows {Vista,7} administrators cannot run our java webstart
>>> app from the browser anymore (Integrity check on decrypted field failed,
>>> Kerberos tickets cannot be accessed correctly). From research in the
>>> Internet it seems that there is no possibility to trigger the UAC dialog
>>> to ask for administrative permissions from within Java. It seems the
>>> only way is to use a native helper application with a corresponding
>>> manifest file or start java from the console with runas.
>>>
>>> Is anything planned yet from Oracle how to proceed with that? Will this
>>> be handled some time? Or are all vendors required to write their own
>>> native wrapper application - which in some sense defies the purpose of java?
>>>
>>> I would really appreciate your help, even a pointer to the correct
>>> resource would be very helpful.
>>>
>>> Thanks a lot in advance,
>>>
>>> Henning
>>>
>>>
>>>
>>> Henning Horst
>>> Systems Analyst
>>> comForte 21 GmbH
>>> Germany Time zone (GMT +1)
>>>
>>> h.horst at comforte.com
>>> www.comForte.com
>>>
>>> Phone Germany: +49 (0)461 40 888 09
>>> Mobile: +49 (0)151 2031 5474
>>>
>>> comForte 21 GmbH / Steubenstraße 9 / D-65189 Wiesbaden / Germany
>>> phone +49 (0) 611-93199-00 / fax +49 (0) 611-93199-05 / www.comforte.com
>>> / info at comforte.com
>>>
>>> Geschäftsführer: Michael Horst, Dr. Michael Rossbach, Michael Weilbacher
>>> Sitz der Gesellschaft: Wiesbaden / HRB 25507
>>> ____________________________________________________________
>>>
>>> This e-mail may contain confidential and/or privileged information.
>>> If you are not the intended recipient (or have received this e-mail
>>> in error) please notify the sender immediately and destroy this e-mail.
>>> Any unauthorized copying, disclosure or distribution of the material
>>> in this e-mail is strictly forbidden.
>>

More information about the security-dev mailing list