Kerberos and REST
Benjamin Kaduk
kaduk at mit.edu
Thu Dec 7 19:39:05 EST 2017
It sounds like you are trying to come up with a scheme where the
user credentials are transmitted to this REST server, and the REST
server then uses the user's credentials to authenticate some backend
requests made by the REST server while processing the body of the
REST request. This is, in effect, trusting the REST server to
not misabuse the user's credentials that are given to it with the
request.
There are some technical means that can somewhat reduce the scope of
the user's credentials that are transmitted (please, please, please
do not transmit the raw password!), but it may be worth taking a
step back and questioning whether the user's credentials are really
needed. That is, if the REST service is sufficiently trusted to be
allowed to handle user credentials, why could it not have
credentials of its own that are then used to authenticate the
backend requests? That would eliminate the need for the actual
user's credentials to be given to the REST server, which is probably
more secure for the user.
There are potentially fancier mechanisms that could be used that do
not directly give the REST server full authorization and instead
require it to present proof that the user has authenticated to it,
before being granted the needed tightly scoped credential by yet
another service. But it's not clear that such complications are
really needed -- from what you describe, it might be fine to give
the REST server its own kerberos credentials and just use that to
authenticate backend requests.
-Ben
On Thu, Dec 07, 2017 at 07:21:16AM +0000, Imanuel Greenfeld wrote:
>
>
> Hello
>
>
>
> I am a C++ developer working on a project in industry.
>
>
>
> I have a Windows client which the user submits requests with.
>
>
>
> These requests are then sent to a backend process running in the background
> on Sun Solaris waiting to process those requests.
>
>
>
> I then need to take each of those requests and authenticate using Kerberos
> to gain access to a different server to get a response.
>
>
>
> Once I go through the Kerberos authentication, I need to submit a JSON
> message using REST. For this I'm using gSoap.
>
>
>
> Reading about Kerberos it seems that the client needs to get the Token and
> then send with the private encrypted password. However, the problem is that
> once the request been submitted from the user, the client is out of the
> picture - I cannot send anything back to it or store anything in it.
>
>
>
> I am hoping that I can send the REST call along with the Kerberos
> authentication in one go. For example :-
>
>
>
> .
>
> soap *ctx = soap_new1(SOAP_C_UTFSTRING); // set up context
> to manage memory
>
> const char *endpoint = "https://...";
>
> value req(ctx), res(ctx); // new JSON values req and res
>
> req = "getCurrentTime"; // request current time
>
> json_call(ctx, // make a call (POST)
>
> endpoint, // the service endpoint URL
>
> req, // value with the request string
>
> res) // response, if call is OK
>
> );
>
> .
>
>
>
> So, in json_call I'd like to incorporate in the ctx the Kerberos
> authentication.
>
>
>
> Is that possible ?
>
>
>
> Any other suggestions please ?
>
>
>
> Do you have any C++ examples showing how to implement Kerberos ?
>
>
>
> Many thanks in advance.
>
>
>
> Imanuel.
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list