Author: rareddy Date: 2011-11-09 13:03:26 -0500 (Wed, 09 Nov 2011) New Revision: 3622 Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml trunk/client/src/main/java/org/teiid/net/TeiidURL.java trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties Log: TEIID-1610: Fixing an issue with ODBC GSS login, where after the GSS negotiation the subject not placed in the security context, and also it uses JDBC login with GSS auth-type, but there is no logic opening to allow this user to proceed. Modified: trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml =================================================================== --- trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-11-09 18:03:26 UTC (rev 3622) @@ -13,9 +13,9 @@ <property name="sessionMaxLimit">5000</property> <!-- Max allowed time before the session is terminated by the system, 0 indicates unlimited (default 0) --> <property name="sessionExpirationTimeLimit">0</property> - <!-- authentication type are CLEARTEXT, KRB5 (default:CLEARTEXT) --> + <!-- authentication type are CLEARTEXT, GSS (default:CLEARTEXT) --> <property name="authenticationType">CLEARTEXT</property> - <!-- When authenticationType=KRB5, then it requires a kerberos security domain to authorize first before teiid-security takes over --> + <!-- When authenticationType=GSS, then it requires a kerberos security domain to authorize first before teiid-security takes over --> <property name="krb5SecurityDomain">teiid-krb5</property> </bean> Modified: trunk/client/src/main/java/org/teiid/net/TeiidURL.java =================================================================== --- trunk/client/src/main/java/org/teiid/net/TeiidURL.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/client/src/main/java/org/teiid/net/TeiidURL.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -90,7 +90,7 @@ public static final String KERBEROS_SERVICE_PRINCIPLE_NAME = "kerberosServicePrincipleName"; //$NON-NLS-1$ public enum AuthenticationType { - CLEARTEXT,KRB5 + CLEARTEXT,GSS }; } Modified: trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java =================================================================== --- trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/client/src/main/java/org/teiid/net/socket/SocketServerConnection.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -176,7 +176,7 @@ if (AuthenticationType.CLEARTEXT.equals(authType)) { newResult = newLogon.logon(connProps); } - else if (AuthenticationType.KRB5.equals(authType)) { + else if (AuthenticationType.GSS.equals(authType)) { newResult = MakeGSS.authenticate(newLogon, connProps); } Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml =================================================================== --- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-11-09 18:03:26 UTC (rev 3622) @@ -181,7 +181,7 @@ <title>Remote Connections</title> <para>On the server, edit the &jboss-beans; under the "SessionService" bean definition, as follows: <programlisting><![CDATA[<!-- Sets the authentication Type --> -<property name="authenticationType">KRB5</property> +<property name="authenticationType">GSS</property> <!-- Security domain used for kerberos authentication --> <property name="krb5SecurityDomain">teiid-krb5</property>]]></programlisting> Modified: trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -149,4 +149,6 @@ String getKrb5SecurityDomain(); void associateSubjectInContext(String securityDomain, Subject subject); + + Subject getSubjectInContext(String securityDomain); } Modified: trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java =================================================================== --- trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/jboss-integration/src/main/java/org/teiid/jboss/AssosiateCallerIdentityLoginModule.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -33,6 +33,8 @@ import org.jboss.security.SecurityContext; import org.jboss.security.SubjectInfo; import org.jboss.security.auth.spi.AbstractServerLoginModule; +import org.teiid.logging.LogConstants; +import org.teiid.logging.LogManager; /** * This login modules simply takes the subject in the current context and adds @@ -69,6 +71,8 @@ return true; } + LogManager.logDetail(LogConstants.CTX_SECURITY, "Adding Passthrough principal="+principal.getName()); //$NON-NLS-1$ + // Put the principal name into the sharedState map sharedState.put("javax.security.auth.login.name", principal.getName()); //$NON-NLS-1$ sharedState.put("javax.security.auth.login.password", ""); //$NON-NLS-1$ //$NON-NLS-2$ Modified: trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -189,7 +189,7 @@ if (this.authType.equals(AuthenticationType.CLEARTEXT)) { this.client.useClearTextAuthentication(); } - else if (this.authType.equals(AuthenticationType.KRB5)) { + else if (this.authType.equals(AuthenticationType.GSS)) { this.client.useAuthenticationGSS(); } } @@ -205,17 +205,21 @@ if (authType.equals(AuthenticationType.CLEARTEXT)) { password = data.readString(); } - else if (authType.equals(AuthenticationType.KRB5)) { + else if (authType.equals(AuthenticationType.GSS)) { byte[] serviceToken = data.readServiceToken(); LogonResult result = this.logon.neogitiateGssLogin(this.props, serviceToken, false); - if (!Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) { - serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN); + serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN); + if (Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) { + passthroughAuthentication = ";PassthroughAuthentication=true;authenticationType=KRB5"; //$NON-NLS-1$ + info.put(ILogon.KRB5TOKEN, serviceToken); + } + else { this.client.authenticationGSSContinue(serviceToken); - return; + return; } - passthroughAuthentication = ";PassthroughAuthentication=true"; //$NON-NLS-1$ } + // this is local connection String url = "jdbc:teiid:"+databaseName+";ApplicationName=ODBC"+passthroughAuthentication; //$NON-NLS-1$ //$NON-NLS-2$ if (password != null) { Modified: trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -433,6 +433,11 @@ this.securityHelper.associateSecurityContext(securityDomain, this.securityHelper.createSecurityContext(securityDomain, principal, null, subject)); } + @Override + public Subject getSubjectInContext(String securityDomain) { + return this.securityHelper.getSubjectInContext(securityDomain); + } + public void setKrb5SecurityDomain(String domain) { this.krb5SecurityDomain = domain; } Modified: trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-11-09 18:03:26 UTC (rev 3622) @@ -66,6 +66,14 @@ } public LogonResult logon(Properties connProps) throws LogonException, TeiidComponentException, CommunicationException { + if (this.service.getKrb5SecurityDomain() != null && connProps.get(ILogon.KRB5TOKEN) != null) { + Subject user = this.service.getSubjectInContext(this.service.getKrb5SecurityDomain()); + if (user == null) { + throw new LogonException(RuntimePlugin.Util.getString("krb5_user_not_found")); //$NON-NLS-1$ + } + return logon(connProps, (byte[])connProps.get(ILogon.KRB5TOKEN)); + } + if (!AuthenticationType.CLEARTEXT.equals(service.getAuthType())) { throw new LogonException(RuntimePlugin.Util.getString("wrong_logon_type_jaas")); //$NON-NLS-1$ } @@ -145,7 +153,7 @@ @Override public LogonResult neogitiateGssLogin(Properties connProps, byte[] serviceTicket, boolean createSession) throws LogonException { - if (!AuthenticationType.KRB5.equals(service.getAuthType())) { + if (!AuthenticationType.GSS.equals(service.getAuthType())) { throw new LogonException(RuntimePlugin.Util.getString("wrong_logon_type_krb5")); //$NON-NLS-1$ } @@ -165,6 +173,11 @@ if (result == null) { throw new LogonException(RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$ } + + if (result.context.isEstablished()) { + service.associateSubjectInContext(securityDomain, subject); + } + if (!result.context.isEstablished() || !createSession) { LogonResult logonResult = new LogonResult(new SessionToken(0, "temp"), "internal", 0, "internal"); //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ logonResult.addProperty(ILogon.KRB5TOKEN, result.serviceTicket); @@ -174,7 +187,6 @@ LogManager.logDetail(LogConstants.CTX_SECURITY, "Kerberos context established"); //$NON-NLS-1$ //connProps.setProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION, "true"); //$NON-NLS-1$ - service.associateSubjectInContext(securityDomain, subject); return logon(connProps, result.serviceTicket); } catch (LoginException e) { throw new LogonException(e, RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$ Modified: trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties =================================================================== --- trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties 2011-11-09 10:23:35 UTC (rev 3621) +++ trunk/runtime/src/main/resources/org/teiid/runtime/i18n.properties 2011-11-09 18:03:26 UTC (rev 3622) @@ -97,4 +97,5 @@ wrong_logon_type_jaas = Wrong logon method is being used. Server is not set up for JAAS based authentication. Correct your client's 'AuthenticationType' property. wrong_logon_type_krb5 = Wrong logon method is being used. Server is not set up for Kerberos based authentication. Correct your client's 'AuthenticationType' property. krb5_login_failed=Kerberos context login failed -no_security_domains=No security domain configured for Kerberos authentication. Can not authenticate. \ No newline at end of file +no_security_domains=No security domain configured for Kerberos authentication. Can not authenticate. +krb5_user_not_found=GSS authentication is in use, however authenticated user not found in the context to proceed. \ No newline at end of file