In some ways, working with .NET code spoils you. When working with ASP.NET apps which want to use Authorization information based upon the authenticated user’s PAC contents, it’s a simple call to IsInRole(). This uses the Privilege Attribute Certificate (PAC) in the Kerberos ticket to determine if a user is in a specific group for determining authorization.
You can find more information on the information in the PAC in Microsoft’s article:
- Utilizing the Windows 2000 Authorization Data in Kerberos Tickets for Access Control to Resources
- [MS-PAC]: Privilege Attribute Certificate Data Structure
This is a much more efficient way of determining authorization based upon group data than making LDAP calls to retrieve member lists. I’ve worked with some applications that iterate through many LDAP calls just to determine if a user is in a specific group, which may not be reflective of groups across domain or forest boundaries.
Well, today, someone asked if this was possible to have similar functionality, but in a JAVA application. While in theory I was sure, they also asked if I could provide some JAVA examples to be used on a Web server. Fortunately, Jens Bo Friis at AppliedCrypto.com has written a great article explaining the PAC, and how to use it several JAVA platforms to determine authorization information within the Kerberos ticket.
Jens also has many useful articles for SPNEGO integration with Websphere, Weblogic, Tomcat and Apache which can be found at: