From teiid-commits at lists.jboss.org Thu Oct 6 21:33:47 2011
Content-Type: multipart/mixed; boundary="===============9202504330045239025=="
MIME-Version: 1.0
From: teiid-commits at lists.jboss.org
To: teiid-commits at lists.jboss.org
Subject: [teiid-commits] teiid SVN: r3540 - in trunk:
runtime/src/main/java/org/teiid/transport and 1 other directories.
Date: Thu, 06 Oct 2011 21:33:47 -0400
Message-ID: <201110070133.p971Xlml032475@svn01.web.mwc.hst.phx2.redhat.com>
--===============9202504330045239025==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Author: shawkins
Date: 2011-10-06 21:33:47 -0400 (Thu, 06 Oct 2011)
New Revision: 3540
Modified:
trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.=
xml
trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
Log:
TEIID-1772 refining cipher suite logic TEIID-1749 expanding the admin guide=
on login modules
Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/se=
curity.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security=
.xml 2011-10-06 21:06:06 UTC (rev 3539)
+++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security=
.xml 2011-10-07 01:33:47 UTC (rev 3540)
@@ -87,24 +87,80 @@
The default name of JDBC connection's security-domain is "=
teiid-security". The default name for Admin connection
is "jmx-console". For the Admin connection's security doma=
in, the user is allowed
to change which LoginModule that "jmx-console" pointing to=
, however should not change the name of the domain, as this name is
- shared between the "admin-console" application.
+ shared between the "admin-console" application. In existi=
ng installations an appropriate security domain may already be configured f=
or use by administrative clients (typically "jmx-console").
+ In this case it may be perfectly valid to reuse this existing security d=
omain instead of creating a new teiid-security security domain.
=
=
Built-in LoginModules
- JBossAS provides several LoginModules for common authentication n=
eeds, such as authenticating from text files or LDAP.
- The UsersRolesLoginModule, which utilizes simple text files
- to authenticate users and to define
- their groups. =C2=A0The teiid-jboss-beans.xml configuration file conta=
ins an example of how to use UsersRolesLoginModule. =
- Note that this is typically not for production use and is strongly rec=
ommended that you replace this login module. Please =
- also note that, you can install multiple login modules as =
part of single security domain configuration and configure them =
+ JBossAS provides several LoginModules for common authentication n=
eeds, such as authenticating from a or a .
+ You can install multiple login modules as part of single security=
domain configuration and configure them =
to part of login process. For example, for "teiid-security=
" domain, you can configure a file based and also LDAP based login modules, =
- and have your user authenticated with either both or singl=
e login module. =
+ and have your user authenticated with either or both login=
modules. If you want to write your own custom login module, check out the=
Developer's Guide for instructions. =
- See LDAP LoginModule configuration for utilizing LDAP based authentic=
ation.
- If you want write your own Custom Login module, check out the =
Developer's Guide for instructions.
-
+
+
+ Text Based LoginModule
+ The UsersRolesLoginModule utilizes simple text files to authentic=
ate users and to define their groups. =C2=A0
+The teiid-jboss-beans.xml configuration file contains an example of how to=
use UsersRolesLoginModule. =
+The UsersRolesLoginModule is not recommended for production us=
e and is strongly recommended that you replace this login module.
+
+ User names and passwords are stored in the <profile>conf/pr=
ops/teiid-security-users.properties file.
+Example user.properties file
+
+
+JAAS role assignments are stored in the <profile>conf/props/teiid-se=
curity-roles.properties file.
+Example user.properties file
+
+
+User and role names are entirely up to the needs of the given deployment. =
For example each application team can set their own security constraints f=
or their VDBs, by mapping their VDB data roles to application specific JAAS=
roles, e.g. app_role_1=3Duser1,user2,user3.
+Teiid data roles names are independent of JAAS roles. VDB cre=
ators can choose whatever name they want for their data roles, which are th=
en mapped at deployment time to JAAS roles.
+
+
+
+ LDAP Based LoginModule
+ See LDA=
P LoginModule configuration for the AS community guide. The follow=
ing are streamlined installation instruction.
+
+ If using SSL to the LDAP server, ensure that the Cor=
porate CA Certificate is added to the JRE trust store.
+
+ =
+ Include LDAP LoginModule in the JAAS Configuration
+ Configure LDAP authentication by editing <profile>conf/l=
ogin-config.xml. If you wish to configure specifically for teiid, then the=
security domain teiid-security will need to be created/altered.
+ In new installations the more likely option is that you want to conf=
igure LDAP based authentication for the AS itself by modifying the "jmx-con=
sole" security domain.
+ You could do one of the following for Teiid:
+
+
+ Reuse the jmx-console (or whatever name you choose) security=
domain for Teiid by changing the teiid configuration &jboss-beans; to poin=
t to jmx-console, rather than teiid-security.
+
+
+
+ Follow the same steps to configure an LDAP security domain n=
amed teiid-security.
+
+
+
+ Leave Teiid to use the default file based LoginModule secuir=
ty domain or create an entirely custom security domain configuration.
+
+
+
+
+ Obscure the LDAP PasswordFinally, prote=
ct the password following these instructions.
+ Note that the salt must be 8 chars andd see also http://community.jb=
oss.org/message/137756#137756 for more on securing passwords.
+
+
+
+
+
=
Kerberos support through GSSAPI
@@ -389,7 +445,7 @@
public key for the client. Depending upon how you created the =
keystore and truststores, =
this may be same file as defined under "keystoreFilename" pro=
perty.
truststorePassword - password for the truststo=
re.
- enabledCipherSuites - A comma separated list o=
f cipher suites allowed for encryption between server and client
+ enabledCipherSuites - A comma separated list o=
f cipher suites allowed for encryption between server and client. The valu=
es must be valid supported cipher suites otherwise SSL connections will fai=
l.
=
SSL Authentication Modes
Modified: trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.=
java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2=
011-10-06 21:06:06 UTC (rev 3539)
+++ trunk/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2=
011-10-07 01:33:47 UTC (rev 3540)
@@ -24,9 +24,7 @@
=
import java.io.IOException;
import java.security.GeneralSecurityException;
-import java.util.ArrayList;
import java.util.Arrays;
-import java.util.StringTokenizer;
=
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
@@ -90,7 +88,7 @@
if (!(Arrays.asList(result.getSupportedCipherSuites()).contain=
s(SocketUtil.ANON_CIPHER_SUITE))) {
throw new GeneralSecurityException(RuntimePlugin.Util.getStri=
ng("SSLConfiguration.no_anonymous")); //$NON-NLS-1$
}
- result.setEnabledCipherSuites(this.enabledCipherSuites =3D=3D =
null?new String[] {SocketUtil.ANON_CIPHER_SUITE}:this.enabledCipherSuites);
+ result.setEnabledCipherSuites(new String[] {SocketUtil.ANON_CI=
PHER_SUITE});
} else {
if (this.enabledCipherSuites !=3D null) {
result.setEnabledCipherSuites(this.enabledCipherSuites);
@@ -150,14 +148,10 @@
}
=
public void setEnabledCipherSuites(String enabledCipherSuites) {
- ArrayList ciphers =3D new ArrayList();
- StringTokenizer st =3D new StringTokenizer(enabledCipherSuites);
- while(st.hasMoreTokens()) {
- ciphers.add(st.nextToken().trim());
- }
- =
- if (!ciphers.isEmpty()) {
- this.enabledCipherSuites =3D ciphers.toArray(new String[ciphers.size()]=
);
- }
+ this.enabledCipherSuites =3D enabledCipherSuites.split(","); //$NON-NLS-=
1$
} =
+ =
+ public String[] getEnabledCipherSuites() {
+ return enabledCipherSuites;
+ }
}
Modified: trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.j=
ava
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 20=
11-10-06 21:06:06 UTC (rev 3539)
+++ trunk/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 20=
11-10-07 01:33:47 UTC (rev 3540)
@@ -217,6 +217,7 @@
@Test public void testAnonSSLConnect() throws Exception {
SSLConfiguration config =3D new SSLConfiguration();
config.setMode(SSLConfiguration.ENABLED);
+ config.setEnabledCipherSuites("x"); //ensure that this cipher suite is n=
ot used
config.setAuthenticationMode(SSLConfiguration.ANONYMOUS);
Properties p =3D new Properties();
p.setProperty("org.teiid.sockets.soTimeout", "100");
@@ -255,4 +256,10 @@
conn.close();
}
=
+ @Test public void testEnableCipherSuites() throws Exception {
+ SSLConfiguration config =3D new SSLConfiguration();
+ config.setEnabledCipherSuites("x,y,z");
+ assertArrayEquals(new String[] {"x","y","z"}, config.getEnabledCipherSui=
tes());
+ }
+ =
}
--===============9202504330045239025==--