From teiid-commits at lists.jboss.org Tue Aug 16 15:39:25 2011
Content-Type: multipart/mixed; boundary="===============5297886034465094102=="
MIME-Version: 1.0
From: teiid-commits at lists.jboss.org
To: teiid-commits at lists.jboss.org
Subject: [teiid-commits] teiid SVN: r3387 - in trunk:
 documentation/admin-guide/src/main/docbook/en-US/content and 7 other
 directories.
Date: Tue, 16 Aug 2011 15:39:25 -0400
Message-ID: <201108161939.p7GJdPCG023604@svn01.web.mwc.hst.phx2.redhat.com>

--===============5297886034465094102==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Author: shawkins
Date: 2011-08-16 15:39:25 -0400 (Tue, 16 Aug 2011)
New Revision: 3387

Modified:
   trunk/client/src/main/java/org/teiid/client/security/LogonResult.java
   trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.=
xml
   trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext=
.java
   trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java
   trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java
   trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelpe=
r.java
   trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java
   trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java
   trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
Log:
TEIID-1610 minor changes to the initial check-in of GSSAPI support

Modified: trunk/client/src/main/java/org/teiid/client/security/LogonResult.=
java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/client/src/main/java/org/teiid/client/security/LogonResult.java	2=
011-08-16 19:13:31 UTC (rev 3386)
+++ trunk/client/src/main/java/org/teiid/client/security/LogonResult.java	2=
011-08-16 19:39:25 UTC (rev 3387)
@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.io.ObjectInput;
 import java.io.ObjectOutput;
+import java.io.OptionalDataException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.TimeZone;
@@ -116,7 +117,11 @@
 		timeZone =3D (TimeZone)in.readObject();
 		clusterName =3D (String)in.readObject();
 		vdbVersion =3D in.readInt();
-		addtionalProperties =3D ExternalizeUtil.readMap(in);
+		try {
+			addtionalProperties =3D ExternalizeUtil.readMap(in);
+		} catch (OptionalDataException e) {
+			=

+		}
 	}
 	=

 	@Override

Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/se=
curity.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security=
.xml	2011-08-16 19:13:31 UTC (rev 3386)
+++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security=
.xml	2011-08-16 19:39:25 UTC (rev 3387)
@@ -1,5 +1,8 @@
 <?xml version=3D"1.0" encoding=3D"UTF-8"?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.=
oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.=
oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % CustomDTD SYSTEM "../../../../../../docbook/custom.dtd">
+%CustomDTD;
+]>
 <chapter id=3D"custom_security">
 	<title>Teiid Security</title>
 	<para>The Teiid system provides a range of built-in and extensible securi=
ty features to enable the
@@ -106,23 +109,21 @@
         <section>
             <title>Kerberos support through GSSAPI</title>
             <para>Teiid supports kerberos authentication using GSSAPI, to =
be used with single sign-on applications.
-            This service ticket negotiation based authentication is suppor=
ted through remote JDBC and ODBC drivers and as =

-            well as in LocalConnections. However, configuration is varies =
for local connections vs remote connections</para>
+            This service ticket negotiation based authentication is suppor=
ted through remote JDBC and ODBC drivers and LocalConnections. =

+            Client configuration is different for all connection types.</p=
ara>
             =

             <section>
                 <title>LocalConnection</title>
-                <para>For supporting kerberos through local connections, p=
rovide JDBC URL property <emphasis>PassthroughAuthentication</emphasis> =

-                as true and use the <ulink url=3D"http://community.jboss.o=
rg/docs/DOC-10680">JBoss Negotiation</ulink> as =

-                authentication configure your web-application for kerberos=
. When the web application authenticates with the provided
+                <para>Set the JDBC URL property <emphasis>PassthroughAuthe=
ntication</emphasis> =

+                as true and use <ulink url=3D"http://community.jboss.org/d=
ocs/DOC-10680">JBoss Negotiation</ulink> for =

+                authentication of your web-application with kerberos. When=
 the web application authenticates with the provided
                 kerberos token, the same subject authenticated will be use=
d in Teiid. For details about configuration, check the =

                 JBoss Negotiation documentation.</para>
             </section>
             =

             <section>
-                <title>Remote JDBC Connection</title>
-                <para>Server: For supporting the kerberos through jdbc fro=
m a remote client application, follow the below configuration.
-                On the server, edit "{jboss-as}/server/{profile}/deploy/te=
iid/teiid-jboss-beans.xml" file, and make sure under =

-                "SessionService" bean definition the following properties =
are set.
+                <title>Remote Connections</title>
+                <para>On the server, edit the &jboss-beans; under the "Ses=
sionService" bean definition, as follows:
                 <programlisting><![CDATA[   =

     <!-- Sets the authentication Type -->         =

     <property name=3D"authenticationType">KRB5</property>
@@ -130,12 +131,11 @@
     <property name=3D"krb5SecurityDomain">teiid-krb5</property>    =

                 ]]></programlisting>    =

                 =

-                Now we need to define security domain context for kerberos=
 with name mentioned in above, and since the kerberos =

-                authorization can not define authorization roles, we need =
devise a way to define them using another login context. =

-                Given below is sample configuration to define roles using =
UserRolesLoginModule. =

-                Note that the below configuration replaces the default Tei=
id login configuration. Note to change the principal =

-                and key tab locations accordingly.
-                =

+                Now we need to define a security domain context for kerber=
os with the name mentioned in above.
+                Since kerberos authorization cannot define authorization r=
oles, we'll define them using another login context. =

+                Given below is a sample configuration to define roles usin=
g a UserRolesLoginModule. =

+                <note><para>This configuration replaces the default Teiid =
login configuration, and you should change the principal =

+                and key tab locations accordingly.</para></note>
                 <programlisting><![CDATA[   =

     <!--login module that negotiates the login conext for kerberos --> =

     <application-policy xmlns=3D"urn:jboss:security-beans:1.0" name=3D"tei=
id-krb5">
@@ -166,51 +166,59 @@
         </authentication>
     </application-policy>    =

                 ]]></programlisting>
-               Edit "run.conf" or "run.conf.bat"file depending upon the en=
vironment in "${jboss-as}/bin" directory =

-               and add the following JVM options to startup script (note t=
o change the realm and KDC settings according to your environment)
+               Edit the "run.conf" or "run.conf.bat" file depending upon t=
he environment in the "${jboss-as}/bin" directory =

+               and add the following JVM options (changing the realm and K=
DC settings according to your environment)
                <programlisting><![CDATA[   =

                JAVA_OPTS =3D "$JAVA_OPTS -Djava.security.krb5.realm=3DEXAM=
PLE.COM -Djava.security.krb5.kdc=3Dkerberos.example.com -Djavax.security.au=
th.useSubjectCredsOnly=3Dfalse"
                 ]]></programlisting>                                      =
    =

             This finishes the configuration on the server side, restart th=
e server and make sure that there were no errors during startup. =

             </para>
             =

-            <para>Client: The following configuration needs to be done on =
the Teiid client application VM. For client VM, JAAS =

-            configuration for kerberos authentication needs to be written.=
 A sample configuration file (client.conf) is show below
-            =

-           <programlisting><![CDATA[   =

-    Client {
-        com.sun.security.auth.module.Krb5LoginModule required
-        useTicketCache=3Dtrue
-        storeKey=3Dtrue
-        useKeyTab=3Dtrue =

-        keyTab=3D"/path/to/krb5.keytab" =

-        doNotPrompt=3Dfalse =

-        debug=3Dfalse
-        principal=3D"demo(a)EXAMPLE.COM";
-    };
-            ]]></programlisting>                                          =

-            =

-            Add the following JVM options to your client's startup script,=
 note the change Realm and KDC settings according to =

-            your environment
-           <programlisting><![CDATA[   =

-        -Djava.security.krb5.realm=3DEXAMPLE.COM
-        -Djava.security.krb5.kdc=3Dkerberos.example.com
-        -Djavax.security.auth.useSubjectCredsOnly=3Dfalse
-        -Dsun.security.krb5.debug=3Dfalse
-        -Djava.security.auth.login.config=3D/path/to/client.conf
-            ]]></programlisting>              =

-            =

-            Add the following URL connection properties to Teiid JDBC conn=
ection string
-            <programlisting><![CDATA[
-            authenticationType=3DKRB5;jaasName=3DClient;kerberosServicePri=
ncipleName=3Ddemo(a)EXAMPLE.COM
-            ]]></programlisting>
-            There is no need to provide the user name and password, when t=
he application is trying to make JDBC connection it
-            will authenticate locally and use the same user credetinals to=
 neogitiate service token with server and grant the
-            connection. See Client Developer's guide for information on co=
nnection properties and how to configure data sources.
-            </para>
-            </section>
-
-        </section>        =

+            <section>
+				<title>JDBC Client Configuration</title>                        =

+	            <para>In you client VM the JAAS =

+	            configuration for kerberos authentication needs to be written=
. A sample configuration file (client.conf) is show below
+	            =

+	           <programlisting><![CDATA[   =

+	    Client {
+	        com.sun.security.auth.module.Krb5LoginModule required
+	        useTicketCache=3Dtrue
+	        storeKey=3Dtrue
+	        useKeyTab=3Dtrue =

+	        keyTab=3D"/path/to/krb5.keytab" =

+	        doNotPrompt=3Dfalse =

+	        debug=3Dfalse
+	        principal=3D"demo(a)EXAMPLE.COM";
+	    };
+	            ]]></programlisting>                                          =

+	            =

+	            Add the following JVM options to your client's startup script=
 - change Realm and KDC settings according to =

+	            your environment
+	           <programlisting><![CDATA[   =

+	        -Djava.security.krb5.realm=3DEXAMPLE.COM
+	        -Djava.security.krb5.kdc=3Dkerberos.example.com
+	        -Djavax.security.auth.useSubjectCredsOnly=3Dfalse
+	        -Dsun.security.krb5.debug=3Dfalse
+	        -Djava.security.auth.login.config=3D/path/to/client.conf
+	            ]]></programlisting>              =

+	            =

+	            Add the following URL connection properties to Teiid JDBC con=
nection string
+	            <programlisting><![CDATA[
+	            authenticationType=3DKRB5;jaasName=3DClient;kerberosServicePr=
incipleName=3Ddemo(a)EXAMPLE.COM
+	            ]]></programlisting>
+	            There is no need to provide the user name and password, when =
the application is trying to make JDBC connection it
+	            will authenticate locally and use the same user credetinals t=
o neogitiate service token with server and grant the
+	            connection. See Client Developer's guide for information on c=
onnection properties and how to configure data sources.
+	            </para>
+	            </section>
+	=

+	        </section>        =

+        </section>
+        =

+        <section>
+        	<title>ODBC Client Configuration</title>
+        	<para>Consult the PostgreSQL ODBC client documentation.</para>
+        </section>
 		=

         <section>
             <title>Security at Data Source level</title>

Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWork=
Context.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContex=
t.java	2011-08-16 19:13:31 UTC (rev 3386)
+++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContex=
t.java	2011-08-16 19:39:25 UTC (rev 3387)
@@ -207,7 +207,7 @@
 		DQPWorkContext.setWorkContext(this);
 		boolean associated =3D false;
 		if (securityHelper !=3D null && this.getSubject() !=3D null) {
-			associated =3D securityHelper.assosiateSecurityContext(this.getSecurity=
Domain(), this.getSecurityContext());			=

+			associated =3D securityHelper.associateSecurityContext(this.getSecurity=
Domain(), this.getSecurityContext());			=

 		}
 		return associated;
 	}

Modified: trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.j=
ava
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java	20=
11-08-16 19:13:31 UTC (rev 3386)
+++ trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java	20=
11-08-16 19:39:25 UTC (rev 3387)
@@ -23,7 +23,6 @@
 package org.teiid.dqp.service;
 =

 import java.util.Collection;
-import java.util.List;
 import java.util.Properties;
 =

 import javax.security.auth.Subject;
@@ -149,5 +148,5 @@
 	=

 	String getKrb5SecurityDomain();
 	=

-	void assosiateSubjectInContext(String securityDomain, Subject subject); =

+	void associateSubjectInContext(String securityDomain, Subject subject); =

 }

Modified: trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java	2011-=
08-16 19:13:31 UTC (rev 3386)
+++ trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java	2011-=
08-16 19:39:25 UTC (rev 3387)
@@ -28,7 +28,7 @@
 =

 public interface SecurityHelper {
 	=

-	boolean assosiateSecurityContext(String securityDomain, Object context);
+	boolean associateSecurityContext(String securityDomain, Object context);
 	=

 	void clearSecurityContext(String securityDomain);
 	=


Modified: trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecuri=
tyHelper.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelp=
er.java	2011-08-16 19:13:31 UTC (rev 3386)
+++ trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelp=
er.java	2011-08-16 19:39:25 UTC (rev 3387)
@@ -36,7 +36,7 @@
 	private static final long serialVersionUID =3D 3598997061994110254L;
 =

 	@Override
-	public boolean assosiateSecurityContext(String securityDomain, Object new=
Context) {
+	public boolean associateSecurityContext(String securityDomain, Object new=
Context) {
 		SecurityContext context =3D SecurityActions.getSecurityContext();
 		if (context =3D=3D null || (!context.getSecurityDomain().equals(security=
Domain) && newContext !=3D null)) {
 			SecurityActions.setSecurityContext((SecurityContext)newContext);

Modified: trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.j=
ava
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java	20=
11-08-16 19:13:31 UTC (rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java	20=
11-08-16 19:39:25 UTC (rev 3387)
@@ -21,7 +21,7 @@
  */
 package org.teiid.odbc;
 =

-import static org.teiid.odbc.PGUtil.convertType;
+import static org.teiid.odbc.PGUtil.*;
 =

 import java.io.IOException;
 import java.io.StringReader;
@@ -207,7 +207,7 @@
 			else if (authType.equals(AuthenticationType.KRB5)) {
 				byte[] serviceToken =3D data.readServiceToken();
             	LogonResult result =3D this.logon.neogitiateGssLogin(this.pro=
ps, serviceToken, false);
-            	if ((Boolean)result.getProperty(ILogon.KRB5_ESTABLISHED)) {
+            	if (!Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTAB=
LISHED))) {
 	            	serviceToken =3D (byte[])result.getProperty(ILogon.KRB5TOKEN=
);
 	            	this.client.authenticationGSSContinue(serviceToken);
 	            	return;

Modified: trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl=
.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java	=
2011-08-16 19:13:31 UTC (rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java	=
2011-08-16 19:39:25 UTC (rev 3387)
@@ -424,13 +424,13 @@
 	}
 	=

 	@Override
-	public void assosiateSubjectInContext(String securityDomain, Subject subj=
ect) {
+	public void associateSubjectInContext(String securityDomain, Subject subj=
ect) {
     	Principal principal =3D null;
     	for(Principal p:subject.getPrincipals()) {
 			principal =3D p;
 			break;
     	}
-    	this.securityHelper.assosiateSecurityContext(securityDomain, this.sec=
urityHelper.createSecurityContext(securityDomain, principal, null, subject)=
);		=

+    	this.securityHelper.associateSecurityContext(securityDomain, this.sec=
urityHelper.createSecurityContext(securityDomain, principal, null, subject)=
);		=

 	}
 	=

 	public void setKrb5SecurityDomain(String domain) {

Modified: trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java	2011-08-=
16 19:13:31 UTC (rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java	2011-08-=
16 19:39:25 UTC (rev 3387)
@@ -174,7 +174,7 @@
 			=

 			LogManager.logDetail(LogConstants.CTX_SECURITY, "Kerberos context estab=
lished"); //$NON-NLS-1$
 			//connProps.setProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION,=
 "true"); //$NON-NLS-1$
-			service.assosiateSubjectInContext(securityDomain, subject);
+			service.associateSubjectInContext(securityDomain, subject);
 			return logon(connProps, result.serviceTicket);
 		} catch (LoginException e) {
 			throw new LogonException(e, RuntimePlugin.Util.getString("krb5_login_fa=
iled")); //$NON-NLS-1$


--===============5297886034465094102==--