[teiid-commits] teiid SVN: r3622 - in trunk: client/src/main/java/org/teiid/net and 8 other directories.
teiid-commits at lists.jboss.org
teiid-commits at lists.jboss.org
Wed Nov 9 13:03:26 EST 2011
Author: rareddy
Date: 2011-11-09 13:03:26 -0500 (Wed, 09 Nov 2011)
New Revision: 3622
Modified:
trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
trunk/client/src/main/java/org/teiid/net/TeiidURL.java
trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java
trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java
trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java
trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java
trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java
trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties
Log:
TEIID-1610: Fixing an issue with ODBC GSS login, where after the GSS negotiation the subject not placed in the security context, and also it uses JDBC login with GSS auth-type, but there is no logic opening to allow this user to proceed.
Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
===================================================================
--- trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-11-09 18:03:26 UTC (rev 3622)
@@ -13,9 +13,9 @@
<property name="sessionMaxLimit">5000</property>
<!-- Max allowed time before the session is terminated by the system, 0 indicates unlimited (default 0) -->
<property name="sessionExpirationTimeLimit">0</property>
- <!-- authentication type are CLEARTEXT, KRB5 (default:CLEARTEXT) -->
+ <!-- authentication type are CLEARTEXT, GSS (default:CLEARTEXT) -->
<property name="authenticationType">CLEARTEXT</property>
- <!-- When authenticationType=KRB5, then it requires a kerberos security domain to authorize first before teiid-security takes over -->
+ <!-- When authenticationType=GSS, then it requires a kerberos security domain to authorize first before teiid-security takes over -->
<property name="krb5SecurityDomain">teiid-krb5</property>
</bean>
Modified: trunk/client/src/main/java/org/teiid/net/TeiidURL.java
===================================================================
--- trunk/client/src/main/java/org/teiid/net/TeiidURL.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/client/src/main/java/org/teiid/net/TeiidURL.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -90,7 +90,7 @@
public static final String KERBEROS_SERVICE_PRINCIPLE_NAME = "kerberosServicePrincipleName"; //$NON-NLS-1$
public enum AuthenticationType {
- CLEARTEXT,KRB5
+ CLEARTEXT,GSS
};
}
Modified: trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java
===================================================================
--- trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -176,7 +176,7 @@
if (AuthenticationType.CLEARTEXT.equals(authType)) {
newResult = newLogon.logon(connProps);
}
- else if (AuthenticationType.KRB5.equals(authType)) {
+ else if (AuthenticationType.GSS.equals(authType)) {
newResult = MakeGSS.authenticate(newLogon, connProps);
}
Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
===================================================================
--- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-11-09 18:03:26 UTC (rev 3622)
@@ -181,7 +181,7 @@
<title>Remote Connections</title>
<para>On the server, edit the &jboss-beans; under the "SessionService" bean definition, as follows:
<programlisting><![CDATA[<!-- Sets the authentication Type -->
-<property name="authenticationType">KRB5</property>
+<property name="authenticationType">GSS</property>
<!-- Security domain used for kerberos authentication -->
<property name="krb5SecurityDomain">teiid-krb5</property>]]></programlisting>
Modified: trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -149,4 +149,6 @@
String getKrb5SecurityDomain();
void associateSubjectInContext(String securityDomain, Subject subject);
+
+ Subject getSubjectInContext(String securityDomain);
}
Modified: trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java
===================================================================
--- trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -33,6 +33,8 @@
import org.jboss.security.SecurityContext;
import org.jboss.security.SubjectInfo;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
+import org.teiid.logging.LogConstants;
+import org.teiid.logging.LogManager;
/**
* This login modules simply takes the subject in the current context and adds
@@ -69,6 +71,8 @@
return true;
}
+ LogManager.logDetail(LogConstants.CTX_SECURITY, "Adding Passthrough principal="+principal.getName()); //$NON-NLS-1$
+
// Put the principal name into the sharedState map
sharedState.put("javax.security.auth.login.name", principal.getName()); //$NON-NLS-1$
sharedState.put("javax.security.auth.login.password", ""); //$NON-NLS-1$ //$NON-NLS-2$
Modified: trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -189,7 +189,7 @@
if (this.authType.equals(AuthenticationType.CLEARTEXT)) {
this.client.useClearTextAuthentication();
}
- else if (this.authType.equals(AuthenticationType.KRB5)) {
+ else if (this.authType.equals(AuthenticationType.GSS)) {
this.client.useAuthenticationGSS();
}
}
@@ -205,17 +205,21 @@
if (authType.equals(AuthenticationType.CLEARTEXT)) {
password = data.readString();
}
- else if (authType.equals(AuthenticationType.KRB5)) {
+ else if (authType.equals(AuthenticationType.GSS)) {
byte[] serviceToken = data.readServiceToken();
LogonResult result = this.logon.neogitiateGssLogin(this.props, serviceToken, false);
- if (!Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) {
- serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN);
+ serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN);
+ if (Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) {
+ passthroughAuthentication = ";PassthroughAuthentication=true;authenticationType=KRB5"; //$NON-NLS-1$
+ info.put(ILogon.KRB5TOKEN, serviceToken);
+ }
+ else {
this.client.authenticationGSSContinue(serviceToken);
- return;
+ return;
}
- passthroughAuthentication = ";PassthroughAuthentication=true"; //$NON-NLS-1$
}
+ // this is local connection
String url = "jdbc:teiid:"+databaseName+";ApplicationName=ODBC"+passthroughAuthentication; //$NON-NLS-1$ //$NON-NLS-2$
if (password != null) {
Modified: trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -433,6 +433,11 @@
this.securityHelper.associateSecurityContext(securityDomain, this.securityHelper.createSecurityContext(securityDomain, principal, null, subject));
}
+ @Override
+ public Subject getSubjectInContext(String securityDomain) {
+ return this.securityHelper.getSubjectInContext(securityDomain);
+ }
+
public void setKrb5SecurityDomain(String domain) {
this.krb5SecurityDomain = domain;
}
Modified: trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-11-09 18:03:26 UTC (rev 3622)
@@ -66,6 +66,14 @@
}
public LogonResult logon(Properties connProps) throws LogonException, TeiidComponentException, CommunicationException {
+ if (this.service.getKrb5SecurityDomain() != null && connProps.get(ILogon.KRB5TOKEN) != null) {
+ Subject user = this.service.getSubjectInContext(this.service.getKrb5SecurityDomain());
+ if (user == null) {
+ throw new LogonException(RuntimePlugin.Util.getString("krb5_user_not_found")); //$NON-NLS-1$
+ }
+ return logon(connProps, (byte[])connProps.get(ILogon.KRB5TOKEN));
+ }
+
if (!AuthenticationType.CLEARTEXT.equals(service.getAuthType())) {
throw new LogonException(RuntimePlugin.Util.getString("wrong_logon_type_jaas")); //$NON-NLS-1$
}
@@ -145,7 +153,7 @@
@Override
public LogonResult neogitiateGssLogin(Properties connProps, byte[] serviceTicket, boolean createSession) throws LogonException {
- if (!AuthenticationType.KRB5.equals(service.getAuthType())) {
+ if (!AuthenticationType.GSS.equals(service.getAuthType())) {
throw new LogonException(RuntimePlugin.Util.getString("wrong_logon_type_krb5")); //$NON-NLS-1$
}
@@ -165,6 +173,11 @@
if (result == null) {
throw new LogonException(RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$
}
+
+ if (result.context.isEstablished()) {
+ service.associateSubjectInContext(securityDomain, subject);
+ }
+
if (!result.context.isEstablished() || !createSession) {
LogonResult logonResult = new LogonResult(new SessionToken(0, "temp"), "internal", 0, "internal"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
logonResult.addProperty(ILogon.KRB5TOKEN, result.serviceTicket);
@@ -174,7 +187,6 @@
LogManager.logDetail(LogConstants.CTX_SECURITY, "Kerberos context established"); //$NON-NLS-1$
//connProps.setProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION, "true"); //$NON-NLS-1$
- service.associateSubjectInContext(securityDomain, subject);
return logon(connProps, result.serviceTicket);
} catch (LoginException e) {
throw new LogonException(e, RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$
Modified: trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties
===================================================================
--- trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties 2011-11-09 10:23:35 UTC (rev 3621)
+++ trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties 2011-11-09 18:03:26 UTC (rev 3622)
@@ -97,4 +97,5 @@
wrong_logon_type_jaas = Wrong logon method is being used. Server is not set up for JAAS based authentication. Correct your client's 'AuthenticationType' property.
wrong_logon_type_krb5 = Wrong logon method is being used. Server is not set up for Kerberos based authentication. Correct your client's 'AuthenticationType' property.
krb5_login_failed=Kerberos context login failed
-no_security_domains=No security domain configured for Kerberos authentication. Can not authenticate.
\ No newline at end of file
+no_security_domains=No security domain configured for Kerberos authentication. Can not authenticate.
+krb5_user_not_found=GSS authentication is in use, however authenticated user not found in the context to proceed.
\ No newline at end of file
More information about the teiid-commits
mailing list