<html>
<head>
<base href="https://docs.jboss.org/author">
<link rel="stylesheet" href="/author/s/en/2172/19/5/_/styles/combined.css?spaceKey=TEIID&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><s>Teiid Security</s></h2>
<h4>Page <b>removed</b> by <a href="https://docs.jboss.org/author/display/~shawkins">Steven Hawkins</a>
</h4>
<br/>
<div class="notificationGreySide">
<p>The Teiid system provides a range of built-in and extensible security features to enable the secure access of data.</p>
<h1><a name="TeiidSecurity-Authentication"></a>Authentication</h1>
<p>JDBC clients may use simple passwords to authenticate a user.</p>
<p>Typically a user name is required, however user names may be considered optional if the identity of the user can be discerned by the password credential alone. In any case it is up to the configured security domain to determine whether a user can be authenticated. If you need authentication, the administrator must configure a LoginModule to be used with Teiid. See below for more information on how configure the Login module in JBoss AS.</p>
<div class='panelMacro'><table class='noteMacro'><colgroup><col width='24'><col></colgroup><tr><td valign='top'><img src="/author/images/icons/emoticons/warning.gif" width="16" height="16" align="absmiddle" alt="" border="0"></td><td>By default, access to Teiid is NOT secure. The default login modules are only backed by file based authentication, which has a well known user name and password. We <b>DO NOT</b> recommend leaving the default security profile as defined when you are exposing sensitive data.</td></tr></table></div>
<h3><a name="TeiidSecurity-PassthroughAuthentication"></a>Passthrough Authentication</h3>
<p>If your client application (web application or Web service) resides in the same JBoss AS instance as Teiid and the client application uses a security-domain, then you can configure Teiid to use the same security-domain and not force the user to re-authenticate. In this case Teiid looks for an authenticated subject in the calling thread context and uses it for sessioning and authorization. To configure Teiid for pass-through authentication, change the Teiid security-domain name to the same name as your application's security domain name in the "standalone-teiid.xml" file in the "transport" section. Please note that for this to work, the security-domain must be a JAAS based Login Module and your client application MUST obtain its Teiid connection using a <em>Local Connection</em> with the_PassthroughAuthentication_=true connection flag set.</p>
<h1><a name="TeiidSecurity-Authorization"></a>Authorization</h1>
<p>Authorization covers both administrative activities and data roles. A data role is a collection of permissions (also referred to as entitlements) and a collection of entitled principals or groups. With the deployment of a VDB the deployer can choose which principals and groups have which data roles. Check out <a href="/author/display/TEIID/Data+Roles" title="Data Roles">Reference Guide Data Roles</a> chapter for more information.</p>
<p>At a transport level Teiid provides built-in support for JDBC over SSL or just sensitive message encryption when SSL is not in use.</p>
<h1><a name="TeiidSecurity-Encryption"></a>Encryption</h1>
<p>Passwords in configuration files however are by default stored in plain text. If you need these values to be encrypted, please see <a href="http://community.jboss.org/wiki/maskingpasswordsinjbossasxmlconfiguration" class="external-link" rel="nofollow">encrypting passwords</a> for instructions on encryption facilities provided by the container.</p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>