Author: shawkins
Date: 2011-08-16 15:39:25 -0400 (Tue, 16 Aug 2011)
New Revision: 3387
Modified:
trunk/client/src/main/java/org/teiid/client/security/LogonResult.java
trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java
trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java
trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java
trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java
trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java
trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java
trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
Log:
TEIID-1610 minor changes to the initial check-in of GSSAPI support
Modified: trunk/client/src/main/java/org/teiid/client/security/LogonResult.java
===================================================================
--- trunk/client/src/main/java/org/teiid/client/security/LogonResult.java 2011-08-16
19:13:31 UTC (rev 3386)
+++ trunk/client/src/main/java/org/teiid/client/security/LogonResult.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -26,6 +26,7 @@
import java.io.IOException;
import java.io.ObjectInput;
import java.io.ObjectOutput;
+import java.io.OptionalDataException;
import java.util.HashMap;
import java.util.Map;
import java.util.TimeZone;
@@ -116,7 +117,11 @@
timeZone = (TimeZone)in.readObject();
clusterName = (String)in.readObject();
vdbVersion = in.readInt();
- addtionalProperties = ExternalizeUtil.readMap(in);
+ try {
+ addtionalProperties = ExternalizeUtil.readMap(in);
+ } catch (OptionalDataException e) {
+
+ }
}
@Override
Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
===================================================================
--- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-08-16
19:13:31 UTC (rev 3386)
+++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-08-16
19:39:25 UTC (rev 3387)
@@ -1,5 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % CustomDTD SYSTEM "../../../../../../docbook/custom.dtd">
+%CustomDTD;
+]>
<chapter id="custom_security">
<title>Teiid Security</title>
<para>The Teiid system provides a range of built-in and extensible security
features to enable the
@@ -106,23 +109,21 @@
<section>
<title>Kerberos support through GSSAPI</title>
<para>Teiid supports kerberos authentication using GSSAPI, to be used
with single sign-on applications.
- This service ticket negotiation based authentication is supported through
remote JDBC and ODBC drivers and as
- well as in LocalConnections. However, configuration is varies for local
connections vs remote connections</para>
+ This service ticket negotiation based authentication is supported through
remote JDBC and ODBC drivers and LocalConnections.
+ Client configuration is different for all connection types.</para>
<section>
<title>LocalConnection</title>
- <para>For supporting kerberos through local connections, provide
JDBC URL property <emphasis>PassthroughAuthentication</emphasis>
- as true and use the <ulink
url="http://community.jboss.org/docs/DOC-10680">JBoss
Negotiation</ulink> as
- authentication configure your web-application for kerberos. When the web
application authenticates with the provided
+ <para>Set the JDBC URL property
<emphasis>PassthroughAuthentication</emphasis>
+ as true and use <ulink
url="http://community.jboss.org/docs/DOC-10680">JBoss
Negotiation</ulink> for
+ authentication of your web-application with kerberos. When the web
application authenticates with the provided
kerberos token, the same subject authenticated will be used in Teiid. For
details about configuration, check the
JBoss Negotiation documentation.</para>
</section>
<section>
- <title>Remote JDBC Connection</title>
- <para>Server: For supporting the kerberos through jdbc from a
remote client application, follow the below configuration.
- On the server, edit
"{jboss-as}/server/{profile}/deploy/teiid/teiid-jboss-beans.xml" file, and make
sure under
- "SessionService" bean definition the following properties are
set.
+ <title>Remote Connections</title>
+ <para>On the server, edit the &jboss-beans; under the
"SessionService" bean definition, as follows:
<programlisting><![CDATA[
<!-- Sets the authentication Type -->
<property name="authenticationType">KRB5</property>
@@ -130,12 +131,11 @@
<property name="krb5SecurityDomain">teiid-krb5</property>
]]></programlisting>
- Now we need to define security domain context for kerberos with name
mentioned in above, and since the kerberos
- authorization can not define authorization roles, we need devise a way to
define them using another login context.
- Given below is sample configuration to define roles using
UserRolesLoginModule.
- Note that the below configuration replaces the default Teiid login
configuration. Note to change the principal
- and key tab locations accordingly.
-
+ Now we need to define a security domain context for kerberos with the
name mentioned in above.
+ Since kerberos authorization cannot define authorization roles, we'll
define them using another login context.
+ Given below is a sample configuration to define roles using a
UserRolesLoginModule.
+ <note><para>This configuration replaces the default Teiid
login configuration, and you should change the principal
+ and key tab locations accordingly.</para></note>
<programlisting><![CDATA[
<!--login module that negotiates the login conext for kerberos -->
<application-policy xmlns="urn:jboss:security-beans:1.0"
name="teiid-krb5">
@@ -166,51 +166,59 @@
</authentication>
</application-policy>
]]></programlisting>
- Edit "run.conf" or "run.conf.bat"file depending upon
the environment in "${jboss-as}/bin" directory
- and add the following JVM options to startup script (note to change the
realm and KDC settings according to your environment)
+ Edit the "run.conf" or "run.conf.bat" file depending
upon the environment in the "${jboss-as}/bin" directory
+ and add the following JVM options (changing the realm and KDC settings
according to your environment)
<programlisting><![CDATA[
JAVA_OPTS = "$JAVA_OPTS -Djava.security.krb5.realm=EXAMPLE.COM
-Djava.security.krb5.kdc=kerberos.example.com
-Djavax.security.auth.useSubjectCredsOnly=false"
]]></programlisting>
This finishes the configuration on the server side, restart the server and
make sure that there were no errors during startup.
</para>
- <para>Client: The following configuration needs to be done on the Teiid
client application VM. For client VM, JAAS
- configuration for kerberos authentication needs to be written. A sample
configuration file (client.conf) is show below
-
- <programlisting><![CDATA[
- Client {
- com.sun.security.auth.module.Krb5LoginModule required
- useTicketCache=true
- storeKey=true
- useKeyTab=true
- keyTab="/path/to/krb5.keytab"
- doNotPrompt=false
- debug=false
- principal="demo(a)EXAMPLE.COM";
- };
- ]]></programlisting>
-
- Add the following JVM options to your client's startup script, note the
change Realm and KDC settings according to
- your environment
- <programlisting><![CDATA[
- -Djava.security.krb5.realm=EXAMPLE.COM
- -Djava.security.krb5.kdc=kerberos.example.com
- -Djavax.security.auth.useSubjectCredsOnly=false
- -Dsun.security.krb5.debug=false
- -Djava.security.auth.login.config=/path/to/client.conf
- ]]></programlisting>
-
- Add the following URL connection properties to Teiid JDBC connection string
- <programlisting><![CDATA[
-
authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo(a)EXAMPLE.COM
- ]]></programlisting>
- There is no need to provide the user name and password, when the application
is trying to make JDBC connection it
- will authenticate locally and use the same user credetinals to neogitiate
service token with server and grant the
- connection. See Client Developer's guide for information on connection
properties and how to configure data sources.
- </para>
- </section>
-
- </section>
+ <section>
+ <title>JDBC Client Configuration</title>
+ <para>In you client VM the JAAS
+ configuration for kerberos authentication needs to be written. A sample
configuration file (client.conf) is show below
+
+ <programlisting><![CDATA[
+ Client {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useTicketCache=true
+ storeKey=true
+ useKeyTab=true
+ keyTab="/path/to/krb5.keytab"
+ doNotPrompt=false
+ debug=false
+ principal="demo(a)EXAMPLE.COM";
+ };
+ ]]></programlisting>
+
+ Add the following JVM options to your client's startup script - change
Realm and KDC settings according to
+ your environment
+ <programlisting><![CDATA[
+ -Djava.security.krb5.realm=EXAMPLE.COM
+ -Djava.security.krb5.kdc=kerberos.example.com
+ -Djavax.security.auth.useSubjectCredsOnly=false
+ -Dsun.security.krb5.debug=false
+ -Djava.security.auth.login.config=/path/to/client.conf
+ ]]></programlisting>
+
+ Add the following URL connection properties to Teiid JDBC connection string
+ <programlisting><![CDATA[
+
authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo(a)EXAMPLE.COM
+ ]]></programlisting>
+ There is no need to provide the user name and password, when the application
is trying to make JDBC connection it
+ will authenticate locally and use the same user credetinals to neogitiate
service token with server and grant the
+ connection. See Client Developer's guide for information on connection
properties and how to configure data sources.
+ </para>
+ </section>
+
+ </section>
+ </section>
+
+ <section>
+ <title>ODBC Client Configuration</title>
+ <para>Consult the PostgreSQL ODBC client documentation.</para>
+ </section>
<section>
<title>Security at Data Source level</title>
Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java
===================================================================
---
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-08-16
19:13:31 UTC (rev 3386)
+++
trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -207,7 +207,7 @@
DQPWorkContext.setWorkContext(this);
boolean associated = false;
if (securityHelper != null && this.getSubject() != null) {
- associated = securityHelper.assosiateSecurityContext(this.getSecurityDomain(),
this.getSecurityContext());
+ associated = securityHelper.associateSecurityContext(this.getSecurityDomain(),
this.getSecurityContext());
}
return associated;
}
Modified: trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-08-16
19:13:31 UTC (rev 3386)
+++ trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -23,7 +23,6 @@
package org.teiid.dqp.service;
import java.util.Collection;
-import java.util.List;
import java.util.Properties;
import javax.security.auth.Subject;
@@ -149,5 +148,5 @@
String getKrb5SecurityDomain();
- void assosiateSubjectInContext(String securityDomain, Subject subject);
+ void associateSubjectInContext(String securityDomain, Subject subject);
}
Modified: trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java
===================================================================
--- trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java 2011-08-16 19:13:31
UTC (rev 3386)
+++ trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java 2011-08-16 19:39:25
UTC (rev 3387)
@@ -28,7 +28,7 @@
public interface SecurityHelper {
- boolean assosiateSecurityContext(String securityDomain, Object context);
+ boolean associateSecurityContext(String securityDomain, Object context);
void clearSecurityContext(String securityDomain);
Modified: trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java
===================================================================
---
trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java 2011-08-16
19:13:31 UTC (rev 3386)
+++
trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -36,7 +36,7 @@
private static final long serialVersionUID = 3598997061994110254L;
@Override
- public boolean assosiateSecurityContext(String securityDomain, Object newContext) {
+ public boolean associateSecurityContext(String securityDomain, Object newContext) {
SecurityContext context = SecurityActions.getSecurityContext();
if (context == null || (!context.getSecurityDomain().equals(securityDomain) &&
newContext != null)) {
SecurityActions.setSecurityContext((SecurityContext)newContext);
Modified: trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-08-16
19:13:31 UTC (rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -21,7 +21,7 @@
*/
package org.teiid.odbc;
-import static org.teiid.odbc.PGUtil.convertType;
+import static org.teiid.odbc.PGUtil.*;
import java.io.IOException;
import java.io.StringReader;
@@ -207,7 +207,7 @@
else if (authType.equals(AuthenticationType.KRB5)) {
byte[] serviceToken = data.readServiceToken();
LogonResult result = this.logon.neogitiateGssLogin(this.props, serviceToken,
false);
- if ((Boolean)result.getProperty(ILogon.KRB5_ESTABLISHED)) {
+ if (!Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) {
serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN);
this.client.authenticationGSSContinue(serviceToken);
return;
Modified: trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-08-16
19:13:31 UTC (rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-08-16
19:39:25 UTC (rev 3387)
@@ -424,13 +424,13 @@
}
@Override
- public void assosiateSubjectInContext(String securityDomain, Subject subject) {
+ public void associateSubjectInContext(String securityDomain, Subject subject) {
Principal principal = null;
for(Principal p:subject.getPrincipals()) {
principal = p;
break;
}
- this.securityHelper.assosiateSecurityContext(securityDomain,
this.securityHelper.createSecurityContext(securityDomain, principal, null, subject));
+ this.securityHelper.associateSecurityContext(securityDomain,
this.securityHelper.createSecurityContext(securityDomain, principal, null, subject));
}
public void setKrb5SecurityDomain(String domain) {
Modified: trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java
===================================================================
--- trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-08-16 19:13:31 UTC
(rev 3386)
+++ trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-08-16 19:39:25 UTC
(rev 3387)
@@ -174,7 +174,7 @@
LogManager.logDetail(LogConstants.CTX_SECURITY, "Kerberos context
established"); //$NON-NLS-1$
//connProps.setProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION,
"true"); //$NON-NLS-1$
- service.assosiateSubjectInContext(securityDomain, subject);
+ service.associateSubjectInContext(securityDomain, subject);
return logon(connProps, result.serviceTicket);
} catch (LoginException e) {
throw new LogonException(e,
RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$