NTNumericCredential of the NTLoginModule JAAS module

Bernd ecki at zusammenkunft.net
Tue Apr 25 01:07:45 UTC 2017


Hello,

I (re)discovered a class com.sun.security.auth.NTNumericCredential in the
OpenJDK which I was researching ten years back but could not get an answer
(then). Maybe somebody here knows:

The NTLoginModule for JAAS reads the current users Windows security
information and represents them as principals and credentials (i.e. it
ignores the password callback as it only reads the current OS users
context). It is somewhat nice to get username and group SIDs, but I am not
sure how this can be used for authentication (since there is no
client/server trust boundary).

Anyway, the thing I am curious about: it also returns a public credential
called NTNumericCredential which contains the long number of a security
token duplicated for local impersonation.

 * <p> This class abstracts an NT security token
 * and provides a mechanism to do same-process security impersonation.

http://hg.openjdk.java.net/jdk10/jdk10/jdk/file/329609d00aef/src/jdk.security.auth/windows/native/libjaas/nt.c#l573

I can however nowhere find any sample how this can be used. Especially not
since the token represents the current user / thread token which is IMHO
not changed? Is this somehow used after other (native) authentication. Does
anybody know how this can be used or how it was used? The
UnixSystem/UnixLoginModule counterpart does not have this provision.

Any generally is there a good use for the NTLoginModule, how would it be
used to actually enforce access control?

Gruss
Bernd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170425/e70ed57d/attachment.html>


More information about the security-dev mailing list