Java Impersonation using JNA and Waffle
Have you ever had the need to create a Java application that executes on behalf of a logged in Windows user?
You can!
-
In this post we will use JNA and Waffle to:
- Create a simple Java application to impersonate a Windows domain user.
In a future post, we will see how this can also be done in a servlet!
1. Create a Java application to impersonate a Windows domain user
- A windows system
- A windows user, DOMAIN\userA with Administrator rights
- A windows user, DOMAIN\userB
Let’s start off with the simple Java program.
public static void main(String[] args) throws Exception {
// Create a provider that implements Windows authentication functions
IWindowsAuthProvider prov = new WindowsAuthProviderImpl();
// Logon using my UPN formatted Windows domain account.
IWindowsIdentity identity = prov.logonUser("userB@my.domain.com", "UserBPassword");
// Impersonate as userB@my.domain.com
IWindowsImpersonationContext ctx = identity.impersonate();
// As the impersonated user, userB, create a new file
writeFile("c:\\temp\\"+Advapi32Util.getUserName()+".txt");
// Revert to the original user, userA
ctx.revertToSelf();
// As userA, create a new file
writeFile("c:\\temp\\"+Advapi32Util.getUserName()+".txt");
// Cleanup the Windows identity
identity.dispose();
}
Let’s run the program and observe its behavior.
- Logon to the Windows system as userA. userA must have Administrator rights.
- Exeute the program as the logged on user e.g. userA
- Observe, that the program creates two new files
- e.g.
- c:\temp\userA.txt
- c:\temp\userB.txt
- Inspect file properties and validate that userA.txt is owned by userA and userB.txt is owned by userB.
- Right click c:\temp\userA.txt and select Properties
- Choose the Details tab
- Verify that Owner is userA (or Administrator)
- Right click c:\temp\userB.txt and select Properties
- Choose the Details tab
- Verify that Owner is userB
As you can see, we have successfully constructed a Java application that impersonates Windows domain users!
Thank you!
