Method and apparatus for transmitting additional authorization data via GSSAPI

摘要

A system and method for using a GSSAPI security token to transport additional non-GSSAPI data that includes authorization data used by third-party software. The system includes a hook that intercepts a client process's interactions with the GSSAPI. When a client process requests a security context from the GSSAPI, the hook intercepts the security token the GSSAPI provides for the client process. The hook checks to see if there is additional authorization data to transport, adds the additional data to the security token, then gives the token to the client process. The client process sends the security token to the server process, which submits the token to the GSSAPI for evaluation. A hook on this computer intercepts the security token, removes additional data added earlier, gives the added authorization data to a version of the third-party authorization software, then passes the now-unaltered security token to the server process which uses the security token to finish establishing a security context with the client process.

主权项

1. A system for enabling a third party authorization process to provide extended authorization for a security context for a client-server connection for a first computer comprising:
a generic security service application program interface (GSSAPI) and a client process running on said first computer, said GSSAPI configured to create a security token for said client process to send to a second computer; a module running on said first computer configured to intercept the security token created by said GSSAPI, accept non-operating-system authorization data from said third party authorization process to be added to said security token and return said security token with said added data to said client process; said client process configured to request a security context using said security token with said added data from a server process running on a second computer, said second computer including a module configured to intercept said security token received from said first computer, remove any non-operating-system authorization data added to said security token by said first computer, pass said non-operating-system authorization data to a third party authorization process running on said second computer, and pass said security token without said non-operating-system authorization data to a GSSAPI running on said second computer, said server process configured to send said security token to said first computer after said GSSAPI running on said second computer has confirmed authentication and authorization for a security context based on said security token.