Thank you Ben for the information. I downloaded Kerberos .gz from your web site and built the libraries.
I'm looking at sclient and sserver. When I run sclient with <target server> <port 80> then I'm getting Connected. But when I run sserver nothing happens. Any ideas what I'm doing wrong please ? I'm running on Sun Solaris. I'm just trying at this stage to prove a concept. Thanks Imanuel. -----Original Message----- From: Benjamin Kaduk [mailto:ka...@mit.edu] Sent: 08 December 2017 00:39 To: Imanuel Greenfeld <imanuel.greenfe...@ntlworld.com> Cc: kerberos@mit.edu Subject: Re: Kerberos and REST It sounds like you are trying to come up with a scheme where the user credentials are transmitted to this REST server, and the REST server then uses the user's credentials to authenticate some backend requests made by the REST server while processing the body of the REST request. This is, in effect, trusting the REST server to not misabuse the user's credentials that are given to it with the request. There are some technical means that can somewhat reduce the scope of the user's credentials that are transmitted (please, please, please do not transmit the raw password!), but it may be worth taking a step back and questioning whether the user's credentials are really needed. That is, if the REST service is sufficiently trusted to be allowed to handle user credentials, why could it not have credentials of its own that are then used to authenticate the backend requests? That would eliminate the need for the actual user's credentials to be given to the REST server, which is probably more secure for the user. There are potentially fancier mechanisms that could be used that do not directly give the REST server full authorization and instead require it to present proof that the user has authenticated to it, before being granted the needed tightly scoped credential by yet another service. But it's not clear that such complications are really needed -- from what you describe, it might be fine to give the REST server its own kerberos credentials and just use that to authenticate backend requests. -Ben On Thu, Dec 07, 2017 at 07:21:16AM +0000, Imanuel Greenfeld wrote: > > > Hello > > > > I am a C++ developer working on a project in industry. > > > > I have a Windows client which the user submits requests with. > > > > These requests are then sent to a backend process running in the > background on Sun Solaris waiting to process those requests. > > > > I then need to take each of those requests and authenticate using > Kerberos to gain access to a different server to get a response. > > > > Once I go through the Kerberos authentication, I need to submit a JSON > message using REST. For this I'm using gSoap. > > > > Reading about Kerberos it seems that the client needs to get the Token > and then send with the private encrypted password. However, the > problem is that once the request been submitted from the user, the > client is out of the picture - I cannot send anything back to it or store anything in it. > > > > I am hoping that I can send the REST call along with the Kerberos > authentication in one go. For example :- > > > > . > > soap *ctx = soap_new1(SOAP_C_UTFSTRING); // set up > context to manage memory > > const char *endpoint = "https://...";; > > value req(ctx), res(ctx); // new JSON values req and res > > req = "getCurrentTime"; // request current time > > json_call(ctx, // make a call (POST) > > endpoint, // the service endpoint URL > > req, // value with the request string > > res) // response, if call is OK > > ); > > . > > > > So, in json_call I'd like to incorporate in the ctx the Kerberos > authentication. > > > > Is that possible ? > > > > Any other suggestions please ? > > > > Do you have any C++ examples showing how to implement Kerberos ? > > > > Many thanks in advance. > > > > Imanuel. > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
