Author: shawkins Date: 2011-08-16 15:39:25 -0400 (Tue, 16 Aug 2011) New Revision: 3387 Modified: trunk/client/src/main/java/org/teiid/client/security/LogonResult.java trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java Log: TEIID-1610 minor changes to the initial check-in of GSSAPI support Modified: trunk/client/src/main/java/org/teiid/client/security/LogonResult.java =================================================================== --- trunk/client/src/main/java/org/teiid/client/security/LogonResult.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/client/src/main/java/org/teiid/client/security/LogonResult.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -26,6 +26,7 @@ import java.io.IOException; import java.io.ObjectInput; import java.io.ObjectOutput; +import java.io.OptionalDataException; import java.util.HashMap; import java.util.Map; import java.util.TimeZone; @@ -116,7 +117,11 @@ timeZone = (TimeZone)in.readObject(); clusterName = (String)in.readObject(); vdbVersion = in.readInt(); - addtionalProperties = ExternalizeUtil.readMap(in); + try { + addtionalProperties = ExternalizeUtil.readMap(in); + } catch (OptionalDataException e) { + + } } @Override Modified: trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml =================================================================== --- trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-08-16 19:39:25 UTC (rev 3387) @@ -1,5 +1,8 @@ <?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"> +<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [ +<!ENTITY % CustomDTD SYSTEM "../../../../../../docbook/custom.dtd"> +%CustomDTD; +]> <chapter id="custom_security"> <title>Teiid Security</title> <para>The Teiid system provides a range of built-in and extensible security features to enable the @@ -106,23 +109,21 @@ <section> <title>Kerberos support through GSSAPI</title> <para>Teiid supports kerberos authentication using GSSAPI, to be used with single sign-on applications. - This service ticket negotiation based authentication is supported through remote JDBC and ODBC drivers and as - well as in LocalConnections. However, configuration is varies for local connections vs remote connections</para> + This service ticket negotiation based authentication is supported through remote JDBC and ODBC drivers and LocalConnections. + Client configuration is different for all connection types.</para> <section> <title>LocalConnection</title> - <para>For supporting kerberos through local connections, provide JDBC URL property <emphasis>PassthroughAuthentication</emphasis> - as true and use the <ulink url="http://community.jboss.org/docs/DOC-10680">JBoss Negotiation</ulink> as - authentication configure your web-application for kerberos. When the web application authenticates with the provided + <para>Set the JDBC URL property <emphasis>PassthroughAuthentication</emphasis> + as true and use <ulink url="http://community.jboss.org/docs/DOC-10680">JBoss Negotiation</ulink> for + authentication of your web-application with kerberos. When the web application authenticates with the provided kerberos token, the same subject authenticated will be used in Teiid. For details about configuration, check the JBoss Negotiation documentation.</para> </section> <section> - <title>Remote JDBC Connection</title> - <para>Server: For supporting the kerberos through jdbc from a remote client application, follow the below configuration. - On the server, edit "{jboss-as}/server/{profile}/deploy/teiid/teiid-jboss-beans.xml" file, and make sure under - "SessionService" bean definition the following properties are set. + <title>Remote Connections</title> + <para>On the server, edit the &jboss-beans; under the "SessionService" bean definition, as follows: <programlisting><![CDATA[ <!-- Sets the authentication Type --> <property name="authenticationType">KRB5</property> @@ -130,12 +131,11 @@ <property name="krb5SecurityDomain">teiid-krb5</property> ]]></programlisting> - Now we need to define security domain context for kerberos with name mentioned in above, and since the kerberos - authorization can not define authorization roles, we need devise a way to define them using another login context. - Given below is sample configuration to define roles using UserRolesLoginModule. - Note that the below configuration replaces the default Teiid login configuration. Note to change the principal - and key tab locations accordingly. - + Now we need to define a security domain context for kerberos with the name mentioned in above. + Since kerberos authorization cannot define authorization roles, we'll define them using another login context. + Given below is a sample configuration to define roles using a UserRolesLoginModule. + <note><para>This configuration replaces the default Teiid login configuration, and you should change the principal + and key tab locations accordingly.</para></note> <programlisting><![CDATA[ <!--login module that negotiates the login conext for kerberos --> <application-policy xmlns="urn:jboss:security-beans:1.0" name="teiid-krb5"> @@ -166,51 +166,59 @@ </authentication> </application-policy> ]]></programlisting> - Edit "run.conf" or "run.conf.bat"file depending upon the environment in "${jboss-as}/bin" directory - and add the following JVM options to startup script (note to change the realm and KDC settings according to your environment) + Edit the "run.conf" or "run.conf.bat" file depending upon the environment in the "${jboss-as}/bin" directory + and add the following JVM options (changing the realm and KDC settings according to your environment) <programlisting><![CDATA[ JAVA_OPTS = "$JAVA_OPTS -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=kerberos.example.com -Djavax.security.auth.useSubjectCredsOnly=false" ]]></programlisting> This finishes the configuration on the server side, restart the server and make sure that there were no errors during startup. </para> - <para>Client: The following configuration needs to be done on the Teiid client application VM. For client VM, JAAS - configuration for kerberos authentication needs to be written. A sample configuration file (client.conf) is show below - - <programlisting><![CDATA[ - Client { - com.sun.security.auth.module.Krb5LoginModule required - useTicketCache=true - storeKey=true - useKeyTab=true - keyTab="/path/to/krb5.keytab" - doNotPrompt=false - debug=false - principal=&quot;demo(a)EXAMPLE.COM&quot;; - }; - ]]></programlisting> - - Add the following JVM options to your client's startup script, note the change Realm and KDC settings according to - your environment - <programlisting><![CDATA[ - -Djava.security.krb5.realm=EXAMPLE.COM - -Djava.security.krb5.kdc=kerberos.example.com - -Djavax.security.auth.useSubjectCredsOnly=false - -Dsun.security.krb5.debug=false - -Djava.security.auth.login.config=/path/to/client.conf - ]]></programlisting> - - Add the following URL connection properties to Teiid JDBC connection string - <programlisting><![CDATA[ - authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo(a)EXAMPLE.COM - ]]></programlisting> - There is no need to provide the user name and password, when the application is trying to make JDBC connection it - will authenticate locally and use the same user credetinals to neogitiate service token with server and grant the - connection. See Client Developer's guide for information on connection properties and how to configure data sources. - </para> - </section> - - </section> + <section> + <title>JDBC Client Configuration</title> + <para>In you client VM the JAAS + configuration for kerberos authentication needs to be written. A sample configuration file (client.conf) is show below + + <programlisting><![CDATA[ + Client { + com.sun.security.auth.module.Krb5LoginModule required + useTicketCache=true + storeKey=true + useKeyTab=true + keyTab="/path/to/krb5.keytab" + doNotPrompt=false + debug=false + principal=&quot;demo(a)EXAMPLE.COM&quot;; + }; + ]]></programlisting> + + Add the following JVM options to your client's startup script - change Realm and KDC settings according to + your environment + <programlisting><![CDATA[ + -Djava.security.krb5.realm=EXAMPLE.COM + -Djava.security.krb5.kdc=kerberos.example.com + -Djavax.security.auth.useSubjectCredsOnly=false + -Dsun.security.krb5.debug=false + -Djava.security.auth.login.config=/path/to/client.conf + ]]></programlisting> + + Add the following URL connection properties to Teiid JDBC connection string + <programlisting><![CDATA[ + authenticationType=KRB5;jaasName=Client;kerberosServicePrincipleName=demo(a)EXAMPLE.COM + ]]></programlisting> + There is no need to provide the user name and password, when the application is trying to make JDBC connection it + will authenticate locally and use the same user credetinals to neogitiate service token with server and grant the + connection. See Client Developer's guide for information on connection properties and how to configure data sources. + </para> + </section> + + </section> + </section> + + <section> + <title>ODBC Client Configuration</title> + <para>Consult the PostgreSQL ODBC client documentation.</para> + </section> <section> <title>Security at Data Source level</title> Modified: trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/engine/src/main/java/org/teiid/dqp/internal/process/DQPWorkContext.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -207,7 +207,7 @@ DQPWorkContext.setWorkContext(this); boolean associated = false; if (securityHelper != null && this.getSubject() != null) { - associated = securityHelper.assosiateSecurityContext(this.getSecurityDomain(), this.getSecurityContext()); + associated = securityHelper.associateSecurityContext(this.getSecurityDomain(), this.getSecurityContext()); } return associated; } Modified: trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java =================================================================== --- trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/engine/src/main/java/org/teiid/dqp/service/SessionService.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -23,7 +23,6 @@ package org.teiid.dqp.service; import java.util.Collection; -import java.util.List; import java.util.Properties; import javax.security.auth.Subject; @@ -149,5 +148,5 @@ String getKrb5SecurityDomain(); - void assosiateSubjectInContext(String securityDomain, Subject subject); + void associateSubjectInContext(String securityDomain, Subject subject); } Modified: trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java =================================================================== --- trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/engine/src/main/java/org/teiid/security/SecurityHelper.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -28,7 +28,7 @@ public interface SecurityHelper { - boolean assosiateSecurityContext(String securityDomain, Object context); + boolean associateSecurityContext(String securityDomain, Object context); void clearSecurityContext(String securityDomain); Modified: trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java =================================================================== --- trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/jboss-integration/src/main/java/org/teiid/jboss/JBossSecurityHelper.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -36,7 +36,7 @@ private static final long serialVersionUID = 3598997061994110254L; @Override - public boolean assosiateSecurityContext(String securityDomain, Object newContext) { + public boolean associateSecurityContext(String securityDomain, Object newContext) { SecurityContext context = SecurityActions.getSecurityContext(); if (context == null || (!context.getSecurityDomain().equals(securityDomain) && newContext != null)) { SecurityActions.setSecurityContext((SecurityContext)newContext); Modified: trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/runtime/src/main/java/org/teiid/odbc/ODBCServerRemoteImpl.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -21,7 +21,7 @@ */ package org.teiid.odbc; -import static org.teiid.odbc.PGUtil.convertType; +import static org.teiid.odbc.PGUtil.*; import java.io.IOException; import java.io.StringReader; @@ -207,7 +207,7 @@ else if (authType.equals(AuthenticationType.KRB5)) { byte[] serviceToken = data.readServiceToken(); LogonResult result = this.logon.neogitiateGssLogin(this.props, serviceToken, false); - if ((Boolean)result.getProperty(ILogon.KRB5_ESTABLISHED)) { + if (!Boolean.TRUE.equals(result.getProperty(ILogon.KRB5_ESTABLISHED))) { serviceToken = (byte[])result.getProperty(ILogon.KRB5TOKEN); this.client.authenticationGSSContinue(serviceToken); return; Modified: trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/runtime/src/main/java/org/teiid/services/SessionServiceImpl.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -424,13 +424,13 @@ } @Override - public void assosiateSubjectInContext(String securityDomain, Subject subject) { + public void associateSubjectInContext(String securityDomain, Subject subject) { Principal principal = null; for(Principal p:subject.getPrincipals()) { principal = p; break; } - this.securityHelper.assosiateSecurityContext(securityDomain, this.securityHelper.createSecurityContext(securityDomain, principal, null, subject)); + this.securityHelper.associateSecurityContext(securityDomain, this.securityHelper.createSecurityContext(securityDomain, principal, null, subject)); } public void setKrb5SecurityDomain(String domain) { Modified: trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java =================================================================== --- trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-08-16 19:13:31 UTC (rev 3386) +++ trunk/runtime/src/main/java/org/teiid/transport/LogonImpl.java 2011-08-16 19:39:25 UTC (rev 3387) @@ -174,7 +174,7 @@ LogManager.logDetail(LogConstants.CTX_SECURITY, "Kerberos context established"); //$NON-NLS-1$ //connProps.setProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION, "true"); //$NON-NLS-1$ - service.assosiateSubjectInContext(securityDomain, subject); + service.associateSubjectInContext(securityDomain, subject); return logon(connProps, result.serviceTicket); } catch (LoginException e) { throw new LogonException(e, RuntimePlugin.Util.getString("krb5_login_failed")); //$NON-NLS-1$