Kerberos and REST

Imanuel Greenfeld imanuel.greenfeld1 at ntlworld.com
Fri Dec 8 01:39:56 EST 2017


Thank you Ben for the information.

I downloaded Kerberos .gz from your web site and built the libraries.

I'm looking at sclient and sserver. 

When I run sclient with <target server> <port 80> then I'm getting
Connected.

But when I run sserver nothing happens.

Any ideas what I'm doing wrong please ?

I'm running on Sun Solaris.

I'm just trying at this stage to prove a concept.

Thanks

Imanuel.


-----Original Message-----
From: Benjamin Kaduk [mailto:kaduk at mit.edu] 
Sent: 08 December 2017 00:39
To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>
Cc: kerberos at mit.edu
Subject: Re: Kerberos and REST

It sounds like you are trying to come up with a scheme where the user
credentials are transmitted to this REST server, and the REST server then
uses the user's credentials to authenticate some backend requests made by
the REST server while processing the body of the REST request.  This is, in
effect, trusting the REST server to not misabuse the user's credentials that
are given to it with the request.

There are some technical means that can somewhat reduce the scope of the
user's credentials that are transmitted (please, please, please do not
transmit the raw password!), but it may be worth taking a step back and
questioning whether the user's credentials are really needed.  That is, if
the REST service is sufficiently trusted to be allowed to handle user
credentials, why could it not have credentials of its own that are then used
to authenticate the backend requests?  That would eliminate the need for the
actual user's credentials to be given to the REST server, which is probably
more secure for the user.

There are potentially fancier mechanisms that could be used that do not
directly give the REST server full authorization and instead require it to
present proof that the user has authenticated to it, before being granted
the needed tightly scoped credential by yet another service.  But it's not
clear that such complications are really needed -- from what you describe,
it might be fine to give the REST server its own kerberos credentials and
just use that to authenticate backend requests.

-Ben

On Thu, Dec 07, 2017 at 07:21:16AM +0000, Imanuel Greenfeld wrote:
>  
> 
> Hello
> 
>  
> 
> I am a C++ developer working on a project in industry.
> 
>  
> 
> I have a Windows client which the user submits requests with.
> 
>  
> 
> These requests are then sent to a backend process running in the 
> background on Sun Solaris waiting to process those requests.
> 
>  
> 
> I then need to take each of those requests and authenticate using 
> Kerberos to gain access to a different server to get a response.
> 
>  
> 
> Once I go through the Kerberos authentication, I need to submit a JSON 
> message using REST.  For this I'm using gSoap.
> 
>  
> 
> Reading about Kerberos it seems that the client needs to get the Token 
> and then send with the private encrypted password.  However, the 
> problem is that once the request been submitted from the user, the 
> client is out of the picture - I cannot send anything back to it or store
anything in it.
> 
>  
> 
> I am hoping that I can send the REST call along with the Kerberos 
> authentication in one go.  For example :-
> 
>  
> 
>                .
> 
>                soap *ctx = soap_new1(SOAP_C_UTFSTRING);  // set up 
> context to manage memory
> 
>   const char *endpoint = "https://...";
> 
>   value req(ctx), res(ctx);                 // new JSON values req and res
> 
>   req = "getCurrentTime";                   // request current time
> 
>   json_call(ctx,                            // make a call (POST)
> 
>       endpoint,                             // the service endpoint URL
> 
>       req,                                  // value with the request
string
> 
>       res)                                  // response, if call is OK
> 
>   );
> 
> .
> 
>  
> 
> So, in  json_call I'd like to incorporate in the ctx the Kerberos 
> authentication.
> 
>  
> 
> Is that possible ? 
> 
>  
> 
> Any other suggestions please ?
> 
>  
> 
> Do you have any C++ examples showing how to implement Kerberos ?
> 
>  
> 
> Many thanks in advance.
> 
>  
> 
> Imanuel.
> 
>  
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list