Hi Dennis
I recently had some casual talk with a customer and he would like Java
to be able to work with Windows UAC nicely. We imagined two ways to do this:
1. The whole webstart app in "elevated" mode:
There can be a special flag in the JNLP file. It can take a value of
"elevated" or "run-as-admin". When JRE sees it, it pops out a dialog and
then run the whole app in the requested mode.
2. Run part of an app in "elevated" mode:
Grammatically, this would looks like the AccessController.doPrivileged
method, say
// normal user mode
doUAC(new PrivilegedAction() {
public void run() {
// do administrative jobs
}
});
but I doubt if this is possible. First, this doUAC will be a very
Windows-only concept and I don't how to express this in a Java preferred
way. Second, the running context of normal mode and elevated mode are
quite isolated from each other and I wonder how to pass arguments or
result between them. Maybe serialization?
Any comment?
Thanks
Max
On 11/07/2011 08:00 PM, Henning Horst wrote:
Hi Max,
thanks for your prompt reply. And sorry for being unclear.
Users with local administrative Windows 7 / Vista accounts that are also
member of the AD domain do not seem to be able to do Kerberos
negotiation. In the actual situation we have a Java app that is started
with webstart. It is an terminal emulator which then connects via
kerberized SSH to a kerberos capable SSH server. All types of Windows
users are able to run java webstart and start the application. When an
SSH connection is to be established from within the application however,
the Kerberos part of the connection establishment is only successful for
regular users. For local admin users within the domain the Kerberos
handshake via JGSS results in an "Integrity check on decrypted field
failed" error.
In contrast to starting the application via the browser (which then
calls java ws), if the same administrators run javaws with "Run as
Administrator" from the CMD the app launches successfully (as before)
and they can connect to the kerberized SSH server successfully (in
contrast to the integrity check on decrypted field failed error when not
running javaws with runas).
When running the "Standard User Analyser" which is recommended by the
MSDN article
http://msdn.microsoft.com/en-us/library/bb530410.aspx
describing the UAC "feature" it shows that administrative privileges
seem to be required to access the Kerberos Ticket of a local
administrator within the domain (please see image attached).
So this seems to correllate with the Windows "feature" that local admins
cannot get the session key for the TGT you wrote about.
It seems that with UAC domain users that are in the local admin group
only have access to their Kerberos ticket(s) if they use "run as".
During research I found e.g.
http://mark.koli.ch/2009/12/uac-prompt-from-java-createprocess-error740-the-requested-operation-requires-elevation.html
which shows a way how to work around this "feature" by calling a native
program from within Java to trigger the UAC promt and do the privileged
actions. But this should not be the solution, of course.
So if Microsoft forces this UAC stuff I would think that it would be
possible to trigger that UAC ask for permission dialog from within Java,
say to do the following
1) run Java program as regular user
2) user requests task that requires admin privileges (e.g. to copy a
file to the UAC protected "Program Files" directory)
3) Java application triggers UAC to ask user for permissions to switch
to administrative user
4) Java app does privileged work
5) Java app throws away privileges after task has been completed
successfully
Maybe you know something more about the state of play regarding to that
feature (domain users that also are in the local admin group cannot use
Kerberos without "run as") and what Oracle will do about (if something).
Maybe there is "just" a hidden switch to fix the issue with local admins
within the AD domain not being able to do Kerberos handshakes with JGSS?
Any help would be very appreciated!
Thanks again and many regards,
Henning
On 11/07/2011 11:35 AM, Weijun Wang wrote:
Hi Henning
I don't quite understand the problem here.
What do you mean Windows administrators cannot run the program? So the
user is on a local admin group but also a member of an AD domain? I
don't know why the result is "Kerberos tickets cannot be accessed
correctly". There was a Windows "feature" that local admins cannot get
the session key for the TGT, is it still so?
Anyway, I don't know a way to trigger UAC from within Java. If I
understand correctly, the UAC dialog pops out when some specific
UAC-related Win32 APIs (or, launch another process) are called. It's not
that you to use a normal API to access an admin-read-only file and
suddenly UAC is automatically triggered.
If you are requesting for a general webstart feature (and not
specifically about JGSS), can you be a little more clear? I'll forward
the mail to the deployment team.
Thanks
Max
On 11/07/2011 06:16 PM, Henning Horst wrote:
Hi Max,
some time ago we had some mails back and forth regarding using TCP for
KDC communication in which I really appreciated your help and expertise.
I am wondering if you could be so kind to give me a hint on the following:
Due to our customers upgrading to Windows 7 we run into trouble with
using Java Kerberos. This is because due to the new UAC feature of
Windows, Windows {Vista,7} administrators cannot run our java webstart
app from the browser anymore (Integrity check on decrypted field failed,
Kerberos tickets cannot be accessed correctly). From research in the
Internet it seems that there is no possibility to trigger the UAC dialog
to ask for administrative permissions from within Java. It seems the
only way is to use a native helper application with a corresponding
manifest file or start java from the console with runas.
Is anything planned yet from Oracle how to proceed with that? Will this
be handled some time? Or are all vendors required to write their own
native wrapper application - which in some sense defies the purpose of java?
I would really appreciate your help, even a pointer to the correct
resource would be very helpful.
Thanks a lot in advance,
Henning
Henning Horst
Systems Analyst
comForte 21 GmbH
Germany Time zone (GMT +1)
[email protected]
www.comForte.com
Phone Germany: +49 (0)461 40 888 09
Mobile: +49 (0)151 2031 5474
comForte 21 GmbH / Steubenstraße 9 / D-65189 Wiesbaden / Germany
phone +49 (0) 611-93199-00 / fax +49 (0) 611-93199-05 / www.comforte.com
/ [email protected]
Geschäftsführer: Michael Horst, Dr. Michael Rossbach, Michael Weilbacher
Sitz der Gesellschaft: Wiesbaden / HRB 25507
____________________________________________________________
This e-mail may contain confidential and/or privileged information.
If you are not the intended recipient (or have received this e-mail
in error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.
