]
Steven Hawkins resolved TEIID-4571.
-----------------------------------
Resolution: Done
See also the doc changes for TEIID-4561
Kerberos secured OData - delegation of credentials to datasource
using PassthroughLoginModule doesn't work
----------------------------------------------------------------------------------------------------------
Key: TEIID-4571
URL:
https://issues.jboss.org/browse/TEIID-4571
Project: Teiid
Issue Type: Bug
Components: OData
Affects Versions: 8.12.7.6_3
Reporter: Jan Stastny
Assignee: Johnathon Lee
Priority: Critical
When OData war is secured by Kerberos there is issue with delegation of kerberos
credentials from the web layer to configured datasource.
All the OData war, vdb and datasource are in the same realm.
Exception logged on server:
{code:plain}
07:58:37,965 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]
(http-127.0.0.1:8080-1) IJ000604: Throwable while attempting to get a new connection:
null: javax.resource.ResourceException: No matching credentials in Subject!
at
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:965)
at
org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:233)
at
org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:858)
at
org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:413)
at
org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:457)
at
org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:429)
at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:344)
at
org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:367)
at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:499)
at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
at
org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:69)
at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
[translator-jdbc-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
[translator-jdbc-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
[teiid-api-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
at
org.teiid.dqp.internal.datamgr.ConnectorManager.buildCapabilities(ConnectorManager.java:179)
at
org.teiid.dqp.internal.datamgr.ConnectorManager.getCapabilities(ConnectorManager.java:163)
at org.teiid.dqp.internal.process.CachedFinder.findCapabilities(CachedFinder.java:108)
at
org.teiid.query.metadata.TempCapabilitiesFinder.findCapabilities(TempCapabilitiesFinder.java:78)
at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.getCapabilities(CapabilitiesUtil.java:439)
at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.supports(CapabilitiesUtil.java:459)
at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.requiresCriteria(CapabilitiesUtil.java:444)
at
org.teiid.query.optimizer.relational.rules.RulePlaceAccess.addAccessNode(RulePlaceAccess.java:196)
at
org.teiid.query.optimizer.relational.rules.RulePlaceAccess.execute(RulePlaceAccess.java:86)
at
org.teiid.query.optimizer.relational.RelationalPlanner.executeRules(RelationalPlanner.java:925)
at
org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:228)
at org.teiid.query.optimizer.QueryOptimizer.optimizePlan(QueryOptimizer.java:159)
at org.teiid.dqp.internal.process.Request.generatePlan(Request.java:442)
at
org.teiid.dqp.internal.process.PreparedStatementRequest.generatePlan(PreparedStatementRequest.java:119)
at org.teiid.dqp.internal.process.Request.processRequest(Request.java:470)
at
org.teiid.dqp.internal.process.PreparedStatementRequest.processRequest(PreparedStatementRequest.java:294)
at org.teiid.dqp.internal.process.RequestWorkItem.processNew(RequestWorkItem.java:642)
at org.teiid.dqp.internal.process.RequestWorkItem.process(RequestWorkItem.java:337)
at org.teiid.dqp.internal.process.AbstractWorkItem.run(AbstractWorkItem.java:51)
at org.teiid.dqp.internal.process.RequestWorkItem.run(RequestWorkItem.java:274)
at org.teiid.dqp.internal.process.DQPCore.executeRequest(DQPCore.java:306)
at org.teiid.dqp.internal.process.DQPCore.executeRequest(DQPCore.java:238)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
at org.teiid.logging.LogManager$LoggingProxy.invoke(LogManager.java:121)
[teiid-api-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
at org.teiid.jboss.TransportService$2.invoke(TransportService.java:241)
at com.sun.proxy.$Proxy20.executeRequest(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
at org.teiid.transport.LocalServerConnection$1$1.call(LocalServerConnection.java:180)
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_102]
at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:260)
at org.teiid.transport.LocalServerConnection$1.invoke(LocalServerConnection.java:178)
at com.sun.proxy.$Proxy20.executeRequest(Unknown Source)
at org.teiid.jdbc.StatementImpl.execute(StatementImpl.java:688)
at org.teiid.jdbc.StatementImpl.executeSql(StatementImpl.java:554)
at org.teiid.jdbc.PreparedStatementImpl.executeQuery(PreparedStatementImpl.java:260)
at org.teiid.jdbc.PreparedStatementImpl.executeQuery(PreparedStatementImpl.java:73)
at org.teiid.olingo.service.LocalClient.executeSQL(LocalClient.java:234)
at
org.teiid.olingo.service.TeiidServiceHandler.executeQuery(TeiidServiceHandler.java:349)
at org.teiid.olingo.service.TeiidServiceHandler.read(TeiidServiceHandler.java:172)
at
org.apache.olingo.server.core.requests.DataRequest$EntityRequest.execute(DataRequest.java:332)
at org.apache.olingo.server.core.requests.DataRequest.execute(DataRequest.java:255)
at
org.apache.olingo.server.core.ServiceDispatcher.internalExecute(ServiceDispatcher.java:160)
at org.apache.olingo.server.core.ServiceDispatcher.execute(ServiceDispatcher.java:98)
at org.apache.olingo.server.core.OData4HttpHandler.process(OData4HttpHandler.java:66)
at org.teiid.olingo.web.ODataServlet.service(ODataServlet.java:43)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:231)
at org.teiid.olingo.web.ODataFilter.doFilter(ODataFilter.java:100)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
at
org.jboss.security.negotiation.NegotiationAuthenticator$WrapperValve.invoke(NegotiationAuthenticator.java:492)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
{code}
Debug logs after war is deployed and accessed:
{code:plain}
07:58:36,981 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) Authenticating user
07:58:36,982 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) Header - null
07:58:36,982 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) No Authorization Header, initiating negotiation
07:58:37,327 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) Authenticating user
07:58:37,327 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) Header - Negotiate
YIIE4AYGKwYBBQUCoIIE1DCCBNCgDTALBgkqhkiG9xIBAgKhBAMCAfaiggS3BIIEs2CCBK8GCSqGSIb3EgECAgEAboIEnjCCBJqgAwIBBaEDAgEOogcDBQAgAAAAo4IBIGGCARwwggEYoAMCAQWhGxsZTVcuTEFCLkVORy5CT1MuUkVESEFULkNPTaIcMBqgAwIBAKETMBEbBEhUVFAbCWxvY2FsaG9zdKOB1TCB0qADAgERoQMCAQSigcUEgcK465BoUHrVQ0BUkECQudf6zEeCf5II5fdigc1feeqGKuL2ETqPjYO3jtghflu42UiXeWq8a5xSJXjQU5gFq6JPVCdvi2e0Fy75e1kQR1vE1Rw/iVfqeneJLfIN0yITvMLhtvZDB7DYdlROsW4M2awuUSdO4NgGrFoA8n46/V3lbfY4MlBQ+C4MYICebuz8flxcmXPre0lBmQ3gfJPTIQdDkU1x2dhQdGGHe0GIUX/dEMEkrVBluW9geTvpzBPR/XrdfaSCA18wggNboAMCARGiggNSBIIDThvjxRAkGUQ9cdb/CyogewYHdMRiCvhMyf/zMibr1PiKBwBC+SMs8vTVdziFvNGiNCL+h6YkDA0asANzGdI2I4jg3/H1QfxhEqrFECozatqMFdzi+0jaj5EPvkzSC6knyOdsFVJ6z8y1G00lNzwzNrjwvzNV54nJiQv+O5RLTGsY7b8bwo9sUk9LVHyNcFKDgZfMtHEhkzp1faeLuGv/xzslrZ3ADdykbVsqMvPEaPpyJEtR2Y0myWZdJn7hZUgSDJuQlh1aJc6sFu02+t5eA6IuxHUlahmLn+IfJ5ytu5FW/F7cwSY9HlfXY21TdtKsDWfs78LOkFUUMdEXjzeKeukY682j6g3zKQhCb272RmWnynOsakPuY0vH0nLe/d/H0wvhz/PPwMjTlyRNIsXy1D9OwlkcZIEy8KXkeFff6uOW3kG4h+63x7lC3KM3g1tztJPxmhEsFU40X9chYm+J0gakjAL6VCHkivp+GX0mEkA3ooDWCURBwr+mbxQnF3yDf9ofP4WAKWVVXqg4Q8vsnCxIYZlMgfuQp+7j5Dil5efUrds67bLiELboacy7+RfH3/RcFmYQ9/vqNjn0y5PXOyrUTGsSTUXmIFZvQDY6XCAFf3wBwP5tsBQOMHSjIXPj8vQR7kxn440CkSLRYSRLhY5pgIeGBZUuTviGxuL6D1+QQfDglYE1tcHqToMfL+NIHjqmCWu7AY6eGN4TAveQHIO9+BhDPqhFPgIr4Rh8vx9vY3vh9Y62b1Fkbv2sbADrgOHwZ9FN06jgdwvBhZfYvo4eNQvjDOaoMXZ4dy05g0kwAyGhNk7GEds8td1qUNTdryWGwCdm1zbxsH7cuoHKkH538jDacKPIdw2yewwgVnGfi0HT1+EtvaOfipVSLEgn6l06LemsjeS8UVAXNuO7upI6ekBpQzOWmDkoVFdv2Zy8aaAE4A29718yHWMkZhjkKkc/KjbmRFp1NxFpl30kLaVm4a2AZ/l6KB3gE8WmqbgF5NTCjXervCZPdjJnp5fbG6bK64SDiAWc+xnM0TlfRvZ4d1OhFktpkRTkNm6iSlSVeTZdokns1pCnu8wecXj+/oEVLkJ0t70drqG08p5rEVW001NTZAsKwqdN5ri79Q==
07:58:37,333 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64]
(http-127.0.0.1:8080-1)
YIIE4AYGKwYBBQUCoIIE1DCCBNCgDTALBgkqhkiG9xIBAgKhBAMCAfaiggS3BIIEs2CCBK8GCSqGSIb3EgECAgEAboIEnjCCBJqgAwIBBaEDAgEOogcDBQAgAAAAo4IBIGGCARwwggEYoAMCAQWhGxsZTVcuTEFCLkVORy5CT1MuUkVESEFULkNPTaIcMBqgAwIBAKETMBEbBEhUVFAbCWxvY2FsaG9zdKOB1TCB0qADAgERoQMCAQSigcUEgcK465BoUHrVQ0BUkECQudf6zEeCf5II5fdigc1feeqGKuL2ETqPjYO3jtghflu42UiXeWq8a5xSJXjQU5gFq6JPVCdvi2e0Fy75e1kQR1vE1Rw/iVfqeneJLfIN0yITvMLhtvZDB7DYdlROsW4M2awuUSdO4NgGrFoA8n46/V3lbfY4MlBQ+C4MYICebuz8flxcmXPre0lBmQ3gfJPTIQdDkU1x2dhQdGGHe0GIUX/dEMEkrVBluW9geTvpzBPR/XrdfaSCA18wggNboAMCARGiggNSBIIDThvjxRAkGUQ9cdb/CyogewYHdMRiCvhMyf/zMibr1PiKBwBC+SMs8vTVdziFvNGiNCL+h6YkDA0asANzGdI2I4jg3/H1QfxhEqrFECozatqMFdzi+0jaj5EPvkzSC6knyOdsFVJ6z8y1G00lNzwzNrjwvzNV54nJiQv+O5RLTGsY7b8bwo9sUk9LVHyNcFKDgZfMtHEhkzp1faeLuGv/xzslrZ3ADdykbVsqMvPEaPpyJEtR2Y0myWZdJn7hZUgSDJuQlh1aJc6sFu02+t5eA6IuxHUlahmLn+IfJ5ytu5FW/F7cwSY9HlfXY21TdtKsDWfs78LOkFUUMdEXjzeKeukY682j6g3zKQhCb272RmWnynOsakPuY0vH0nLe/d/H0wvhz/PPwMjTlyRNIsXy1D9OwlkcZIEy8KXkeFff6uOW3kG4h+63x7lC3KM3g1tztJPxmhEsFU40X9chYm+J0gakjAL6VCHkivp+GX0mEkA3ooDWCURBwr+mbxQnF3yDf9ofP4WAKWVVXqg4Q8vsnCxIYZlMgfuQp+7j5Dil5efUrds67bLiELboacy7+RfH3/RcFmYQ9/vqNjn0y5PXOyrUTGsSTUXmIFZvQDY6XCAFf3wBwP5tsBQOMHSjIXPj8vQR7kxn440CkSLRYSRLhY5pgIeGBZUuTviGxuL6D1+QQfDglYE1tcHqToMfL+NIHjqmCWu7AY6eGN4TAveQHIO9+BhDPqhFPgIr4Rh8vx9vY3vh9Y62b1Fkbv2sbADrgOHwZ9FN06jgdwvBhZfYvo4eNQvjDOaoMXZ4dy05g0kwAyGhNk7GEds8td1qUNTdryWGwCdm1zbxsH7cuoHKkH538jDacKPIdw2yewwgVnGfi0HT1+EtvaOfipVSLEgn6l06LemsjeS8UVAXNuO7upI6ekBpQzOWmDkoVFdv2Zy8aaAE4A29718yHWMkZhjkKkc/KjbmRFp1NxFpl30kLaVm4a2AZ/l6KB3gE8WmqbgF5NTCjXervCZPdjJnp5fbG6bK64SDiAWc+xnM0TlfRvZ4d1OhFktpkRTkNm6iSlSVeTZdokns1pCnu8wecXj+/oEVLkJ0t70drqG08p5rEVW001NTZAsKwqdN5ri79Q==
07:58:37,334 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex]
(http-127.0.0.1:8080-1) 0x60 0x82 0x04 0xe0 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0
0x82 0x04 0xd4 0x30 0x82 0x04 0xd0 0xa0 0x0d 0x30 0x0b 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7
0x12 0x01 0x02 0x02 0xa1 0x04 0x03 0x02 0x01 0xf6 0xa2 0x82 0x04 0xb7 0x04 0x82 0x04 0xb3
0x60 0x82 0x04 0xaf 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x01 0x00 0x6e
0x82 0x04 0x9e 0x30 0x82 0x04 0x9a 0xa0 0x03 0x02 0x01 0x05 0xa1 0x03 0x02 0x01 0x0e 0xa2
0x07 0x03 0x05 0x00 0x20 0x00 0x00 0x00 0xa3 0x82 0x01 0x20 0x61 0x82 0x01 0x1c 0x30 0x82
0x01 0x18 0xa0 0x03 0x02 0x01 0x05 0xa1 0x1b 0x1b 0x19 0x4d 0x57 0x2e 0x4c 0x41 0x42 0x2e
0x45 0x4e 0x47 0x2e 0x42 0x4f 0x53 0x2e 0x52 0x45 0x44 0x48 0x41 0x54 0x2e 0x43 0x4f 0x4d
0xa2 0x1c 0x30 0x1a 0xa0 0x03 0x02 0x01 0x00 0xa1 0x13 0x30 0x11 0x1b 0x04 0x48 0x54 0x54
0x50 0x1b 0x09 0x6c 0x6f 0x63 0x61 0x6c 0x68 0x6f 0x73 0x74 0xa3 0x81 0xd5 0x30 0x81 0xd2
0xa0 0x03 0x02 0x01 0x11 0xa1 0x03 0x02 0x01 0x04 0xa2 0x81 0xc5 0x04 0x81 0xc2 0xb8 0xeb
0x90 0x68 0x50 0x7a 0xd5 0x43 0x40 0x54 0x90 0x40 0x90 0xb9 0xd7 0xfa 0xcc 0x47 0x82 0x7f
0x92 0x08 0xe5 0xf7 0x62 0x81 0xcd 0x5f 0x79 0xea 0x86 0x2a 0xe2 0xf6 0x11 0x3a 0x8f 0x8d
0x83 0xb7 0x8e 0xd8 0x21 0x7e 0x5b 0xb8 0xd9 0x48 0x97 0x79 0x6a 0xbc 0x6b 0x9c 0x52 0x25
0x78 0xd0 0x53 0x98 0x05 0xab 0xa2 0x4f 0x54 0x27 0x6f 0x8b 0x67 0xb4 0x17 0x2e 0xf9 0x7b
0x59 0x10 0x47 0x5b 0xc4 0xd5 0x1c 0x3f 0x89 0x57 0xea 0x7a 0x77 0x89 0x2d 0xf2 0x0d 0xd3
0x22 0x13 0xbc 0xc2 0xe1 0xb6 0xf6 0x43 0x07 0xb0 0xd8 0x76 0x54 0x4e 0xb1 0x6e 0x0c 0xd9
0xac 0x2e 0x51 0x27 0x4e 0xe0 0xd8 0x06 0xac 0x5a 0x00 0xf2 0x7e 0x3a 0xfd 0x5d 0xe5 0x6d
0xf6 0x38 0x32 0x50 0x50 0xf8 0x2e 0x0c 0x60 0x80 0x9e 0x6e 0xec 0xfc 0x7e 0x5c 0x5c 0x99
0x73 0xeb 0x7b 0x49 0x41 0x99 0x0d 0xe0 0x7c 0x93 0xd3 0x21 0x07 0x43 0x91 0x4d 0x71 0xd9
0xd8 0x50 0x74 0x61 0x87 0x7b 0x41 0x88 0x51 0x7f 0xdd 0x10 0xc1 0x24 0xad 0x50 0x65 0xb9
0x6f 0x60 0x79 0x3b 0xe9 0xcc 0x13 0xd1 0xfd 0x7a 0xdd 0x7d 0xa4 0x82 0x03 0x5f 0x30 0x82
0x03 0x5b 0xa0 0x03 0x02 0x01 0x11 0xa2 0x82 0x03 0x52 0x04 0x82 0x03 0x4e 0x1b 0xe3 0xc5
0x10 0x24 0x19 0x44 0x3d 0x71 0xd6 0xff 0x0b 0x2a 0x20 0x7b 0x06 0x07 0x74 0xc4 0x62 0x0a
0xf8 0x4c 0xc9 0xff 0xf3 0x32 0x26 0xeb 0xd4 0xf8 0x8a 0x07 0x00 0x42 0xf9 0x23 0x2c 0xf2
0xf4 0xd5 0x77 0x38 0x85 0xbc 0xd1 0xa2 0x34 0x22 0xfe 0x87 0xa6 0x24 0x0c 0x0d 0x1a 0xb0
0x03 0x73 0x19 0xd2 0x36 0x23 0x88 0xe0 0xdf 0xf1 0xf5 0x41 0xfc 0x61 0x12 0xaa 0xc5 0x10
0x2a 0x33 0x6a 0xda 0x8c 0x15 0xdc 0xe2 0xfb 0x48 0xda 0x8f 0x91 0x0f 0xbe 0x4c 0xd2 0x0b
0xa9 0x27 0xc8 0xe7 0x6c 0x15 0x52 0x7a 0xcf 0xcc 0xb5 0x1b 0x4d 0x25 0x37 0x3c 0x33 0x36
0xb8 0xf0 0xbf 0x33 0x55 0xe7 0x89 0xc9 0x89 0x0b 0xfe 0x3b 0x94 0x4b 0x4c 0x6b 0x18 0xed
0xbf 0x1b 0xc2 0x8f 0x6c 0x52 0x4f 0x4b 0x54 0x7c 0x8d 0x70 0x52 0x83 0x81 0x97 0xcc 0xb4
0x71 0x21 0x93 0x3a 0x75 0x7d 0xa7 0x8b 0xb8 0x6b 0xff 0xc7 0x3b 0x25 0xad 0x9d 0xc0 0x0d
0xdc 0xa4 0x6d 0x5b 0x2a 0x32 0xf3 0xc4 0x68 0xfa 0x72 0x24 0x4b 0x51 0xd9 0x8d 0x26 0xc9
0x66 0x5d 0x26 0x7e 0xe1 0x65 0x48 0x12 0x0c 0x9b 0x90 0x96 0x1d 0x5a 0x25 0xce 0xac 0x16
0xed 0x36 0xfa 0xde 0x5e 0x03 0xa2 0x2e 0xc4 0x75 0x25 0x6a 0x19 0x8b 0x9f 0xe2 0x1f 0x27
0x9c 0xad 0xbb 0x91 0x56 0xfc 0x5e 0xdc 0xc1 0x26 0x3d 0x1e 0x57 0xd7 0x63 0x6d 0x53 0x76
0xd2 0xac 0x0d 0x67 0xec 0xef 0xc2 0xce 0x90 0x55 0x14 0x31 0xd1 0x17 0x8f 0x37 0x8a 0x7a
0xe9 0x18 0xeb 0xcd 0xa3 0xea 0x0d 0xf3 0x29 0x08 0x42 0x6f 0x6e 0xf6 0x46 0x65 0xa7 0xca
0x73 0xac 0x6a 0x43 0xee 0x63 0x4b 0xc7 0xd2 0x72 0xde 0xfd 0xdf 0xc7 0xd3 0x0b 0xe1 0xcf
0xf3 0xcf 0xc0 0xc8 0xd3 0x97 0x24 0x4d 0x22 0xc5 0xf2 0xd4 0x3f 0x4e 0xc2 0x59 0x1c 0x64
0x81 0x32 0xf0 0xa5 0xe4 0x78 0x57 0xdf 0xea 0xe3 0x96 0xde 0x41 0xb8 0x87 0xee 0xb7 0xc7
0xb9 0x42 0xdc 0xa3 0x37 0x83 0x5b 0x73 0xb4 0x93 0xf1 0x9a 0x11 0x2c 0x15 0x4e 0x34 0x5f
0xd7 0x21 0x62 0x6f 0x89 0xd2 0x06 0xa4 0x8c 0x02 0xfa 0x54 0x21 0xe4 0x8a 0xfa 0x7e 0x19
0x7d 0x26 0x12 0x40 0x37 0xa2 0x80 0xd6 0x09 0x44 0x41 0xc2 0xbf 0xa6 0x6f 0x14 0x27 0x17
0x7c 0x83 0x7f 0xda 0x1f 0x3f 0x85 0x80 0x29 0x65 0x55 0x5e 0xa8 0x38 0x43 0xcb 0xec 0x9c
0x2c 0x48 0x61 0x99 0x4c 0x81 0xfb 0x90 0xa7 0xee 0xe3 0xe4 0x38 0xa5 0xe5 0xe7 0xd4 0xad
0xdb 0x3a 0xed 0xb2 0xe2 0x10 0xb6 0xe8 0x69 0xcc 0xbb 0xf9 0x17 0xc7 0xdf 0xf4 0x5c 0x16
0x66 0x10 0xf7 0xfb 0xea 0x36 0x39 0xf4 0xcb 0x93 0xd7 0x3b 0x2a 0xd4 0x4c 0x6b 0x12 0x4d
0x45 0xe6 0x20 0x56 0x6f 0x40 0x36 0x3a 0x5c 0x20 0x05 0x7f 0x7c 0x01 0xc0 0xfe 0x6d 0xb0
0x14 0x0e 0x30 0x74 0xa3 0x21 0x73 0xe3 0xf2 0xf4 0x11 0xee 0x4c 0x67 0xe3 0x8d 0x02 0x91
0x22 0xd1 0x61 0x24 0x4b 0x85 0x8e 0x69 0x80 0x87 0x86 0x05 0x95 0x2e 0x4e 0xf8 0x86 0xc6
0xe2 0xfa 0x0f 0x5f 0x90 0x41 0xf0 0xe0 0x95 0x81 0x35 0xb5 0xc1 0xea 0x4e 0x83 0x1f 0x2f
0xe3 0x48 0x1e 0x3a 0xa6 0x09 0x6b 0xbb 0x01 0x8e 0x9e 0x18 0xde 0x13 0x02 0xf7 0x90 0x1c
0x83 0xbd 0xf8 0x18 0x43 0x3e 0xa8 0x45 0x3e 0x02 0x2b 0xe1 0x18 0x7c 0xbf 0x1f 0x6f 0x63
0x7b 0xe1 0xf5 0x8e 0xb6 0x6f 0x51 0x64 0x6e 0xfd 0xac 0x6c 0x00 0xeb 0x80 0xe1 0xf0 0x67
0xd1 0x4d 0xd3 0xa8 0xe0 0x77 0x0b 0xc1 0x85 0x97 0xd8 0xbe 0x8e 0x1e 0x35 0x0b 0xe3 0x0c
0xe6 0xa8 0x31 0x76 0x78 0x77 0x2d 0x39 0x83 0x49 0x30 0x03 0x21 0xa1 0x36 0x4e 0xc6 0x11
0xdb 0x3c 0xb5 0xdd 0x6a 0x50 0xd4 0xdd 0xaf 0x25 0x86 0xc0 0x27 0x66 0xd7 0x36 0xf1 0xb0
0x7e 0xdc 0xba 0x81 0xca 0x90 0x7e 0x77 0xf2 0x30 0xda 0x70 0xa3 0xc8 0x77 0x0d 0xb2 0x7b
0x0c 0x20 0x56 0x71 0x9f 0x8b 0x41 0xd3 0xd7 0xe1 0x2d 0xbd 0xa3 0x9f 0x8a 0x95 0x52 0x2c
0x48 0x27 0xea 0x5d 0x3a 0x2d 0xe9 0xac 0x8d 0xe4 0xbc 0x51 0x50 0x17 0x36 0xe3 0xbb 0xba
0x92 0x3a 0x7a 0x40 0x69 0x43 0x33 0x96 0x98 0x39 0x28 0x54 0x57 0x6f 0xd9 0x9c 0xbc 0x69
0xa0 0x04 0xe0 0x0d 0xbd 0xef 0x5f 0x32 0x1d 0x63 0x24 0x66 0x18 0xe4 0x2a 0x47 0x3f 0x2a
0x36 0xe6 0x44 0x5a 0x75 0x37 0x11 0x69 0x97 0x7d 0x24 0x2d 0xa5 0x66 0xe1 0xad 0x80 0x67
0xf9 0x7a 0x28 0x1d 0xe0 0x13 0xc5 0xa6 0xa9 0xb8 0x05 0xe4 0xd4 0xc2 0x8d 0x77 0xab 0xbc
0x26 0x4f 0x76 0x32 0x67 0xa7 0x97 0xdb 0x1b 0xa6 0xca 0xeb 0x84 0x83 0x88 0x05 0x9c 0xfb
0x19 0xcc 0xd1 0x39 0x5f 0x46 0xf6 0x78 0x77 0x53 0xa1 0x16 0x4b 0x69 0x91 0x14 0xe4 0x36
0x6e 0xa2 0x4a 0x54 0x95 0x79 0x36 0x5d 0xa2 0x49 0xec 0xd6 0x90 0xa7 0xbb 0xcc 0x1e 0x71
0x78 0xfe 0xfe 0x81 0x15 0x2e 0x42 0x74 0xb7 0xbd 0x1d 0xae 0xa1 0xb4 0xf2 0x9e 0x6b 0x11
0x55 0xb4 0xd3 0x53 0x53 0x64 0x0b 0x0a 0xc2 0xa7 0x4d 0xe6 0xb8 0xbb 0xf5
07:58:37,340 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) Creating new NegotiationContext
07:58:37,341 TRACE [org.jboss.security.negotiation.common.NegotiationContext]
(http-127.0.0.1:8080-1) associate 482840717
07:58:37,347 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Wrapped Krb5LoginModule is
'com.sun.security.auth.module.Krb5LoginModule'
07:58:37,347 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) delegationCredential=USE
07:58:37,350 INFO [stdout] (http-127.0.0.1:8080-1) Debug is true storeKey true
useTicketCache true useKeyTab true doNotPrompt true ticketCache is /tmp/krb5cc_100e0
isInitiator true KeyTab is /home/jstastny/tmp-workspaces/workspace/HTTP_localhost
refreshKrb5Config is false principal is HTTP/localhost(a)EXAMPLE.COM tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
07:58:37,350 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Initialised wrapped login module.
07:58:37,350 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) addGssCredential=true
07:58:37,350 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) wrapGssCredential=false
07:58:37,350 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) No delegation credential so falling through to use wrapped login
module.
07:58:37,352 INFO [stdout] (http-127.0.0.1:8080-1) Acquire TGT from Cache
07:58:37,354 INFO [stdout] (http-127.0.0.1:8080-1) Principal is
HTTP/localhost(a)EXAMPLE.COM
07:58:37,354 INFO [stdout] (http-127.0.0.1:8080-1) null credentials from Ticket Cache
07:58:37,687 INFO [stdout] (http-127.0.0.1:8080-1) principal is
HTTP/localhost(a)EXAMPLE.COM
07:58:37,688 INFO [stdout] (http-127.0.0.1:8080-1) Will use keytab
07:58:37,689 INFO [stdout] (http-127.0.0.1:8080-1) Commit Succeeded
07:58:37,689 INFO [stdout] (http-127.0.0.1:8080-1)
07:58:37,689 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Called wrapped login module respone=true
07:58:37,689 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Adding GSSCredential to populated Subject
07:58:37,692 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Creating GSSName for Principal
'HTTP/localhost(a)EXAMPLE.COM'
07:58:37,696 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Added private credential.
07:58:37,714 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Removing GSSCredential added to subject during authentication.
07:58:37,714 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Passing to wrapped login module to logout.
07:58:37,714 INFO [stdout] (http-127.0.0.1:8080-1) [Krb5LoginModule]: Entering logout
07:58:37,715 INFO [stdout] (http-127.0.0.1:8080-1) [Krb5LoginModule]: logged out
Subject
07:58:37,715 TRACE [org.jboss.security.negotiation.KerberosLoginModule]
(http-127.0.0.1:8080-1) Disposing of GSSCredential
07:58:37,721 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) authenticated principal =
GenericPrincipal[IiHacYzARtsmAF3+MOfUOI1W_1478761117341(odata,user,)]
07:58:37,722 TRACE [org.jboss.security.negotiation.common.MessageTrace.Response.Base64]
(http-127.0.0.1:8080-1)
oXIwcKJuBGxgagYJKoZIhvcSAQICAgBvWzBZoAMCAQWhAwIBD6JNMEugAwIBEaJEBEIw/ArS7fib
M9EJec7tQTiDM9Xm9CuAJ9A3+6wj+ubYOmD2+PaWnLMMyCbvuMkF5VriZZX0OJdt66nlcjJsHlME
F0Q=
07:58:37,722 TRACE [org.jboss.security.negotiation.common.NegotiationContext]
(http-127.0.0.1:8080-1) clear 482840717
07:58:37,742 DEBUG [org.teiid.SECURITY] (http-127.0.0.1:8080-1) authenticateUser
anonymous JDBC
07:58:37,747 DEBUG [org.teiid.SECURITY] (http-127.0.0.1:8080-1) Logon successful, created
session: sessionid=Ztls9qKXYVAN; userName=KRBUSR05\@EXAMPLE.COM(a)EXAMPLE.COM;
vdbName=oracle_kerberos; vdbVersion=1; createdTime=Thu Nov 10 07:58:37 GMT+01:00 2016;
applicationName=JDBC; clientHostName=null; clientHardwareAddress=null; IPAddress=null;
securityDomain=EXAMPLE.COM; lastPingTime=Thu Nov 10 07:58:37 GMT+01:00 2016
07:58:37,760 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) Successfully obtained a
session.
07:58:37,760 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) Connection Url=
07:58:37,760 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) ApplicationName=JDBC
07:58:37,760 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1)
PassthroughAuthentication=true
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) local-transport-name=odata
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) waitForLoad=0
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) batch-size=256
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1)
VirtualDatabaseName=oracle_kerberos.1
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) transportName=odata
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) skiptoken-cache-time=300000
07:58:37,761 FINE [org.teiid.jdbc] (http-127.0.0.1:8080-1) The JDBC Driver successfully
obtained a connection.
{code}
Security domains configured:
{code:xml}
<security-domain name="host">
<authentication>
<login-module code="Kerberos" flag="required"
module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab"
value="${jboss.home.dir}/HTTP_localhost"/>
<module-option name="principal"
value="HTTP/localhost(a)EXAMPLE.COM"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useTicketCache"
value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config"
value="false"/>
<module-option name="isInitiator" value="true"/>
<module-option name="addGSSCredential"
value="true"/>
<module-option name="delegationCredential"
value="USE"/>
<module-option name="ticketCache"
value="/tmp/krb5cc_100e0"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="EXAMPLE.COM">
<authentication>
<login-module code="SPNEGO" flag="requisite"
module="org.jboss.security.negotiation">
<module-option name="password-stacking"
value="useFirstPass"/>
<module-option name="serverSecurityDomain"
value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="KRBUSR05(a)EXAMPLE.COM"
value="user,odata"/>
</mapping-module>
</mapping>
</security-domain>
<security-domain name="passthrough-security">
<authentication>
<login-module code="org.teiid.jboss.PassthroughIdentityLoginModule"
flag="required" module="org.jboss.teiid">
<module-option name="userName" value="guest"/>
<module-option name="password" value="guest"/>
</login-module>
</authentication>
</security-domain>
{code}
Datasource configured:
{code:xml}
<datasource jndi-name="java:/Oracle12_krb"
pool-name="Oracle12_krb" enabled="true" spy="true">
<connection-url>jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=url.somewhere.com)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=qaora12)))</connection-url>
<connection-property name="oracle.net.authentication_services">
(KERBEROS5)
</connection-property>
<driver>oracle</driver>
<pool>
<prefill>false</prefill>
<allow-multiple-users>false</allow-multiple-users>
</pool>
<security>
<security-domain>passthrough-security</security-domain>
</security>
</datasource>
{code}
VDB:
{code:xml}
<vdb name="oracle_kerberos" version="1">
<property name="security-domain" value="EXAMPLE.COM"/>
<property name="authentication-type" value="GSS"/>
<model name="BQT1">
<source name="local" translator-name="oracle"
connection-jndi-name="java:/Oracle12_krb"/>
<metadata type="DDL"><![CDATA[
CREATE FOREIGN TABLE dual (
"user" string PRIMARY KEY
);
]]> </metadata>
</model>
</vdb>
{code}