[
https://jira.jboss.org/browse/TEIID-1247?page=com.atlassian.jira.plugin.s...
]
Brenton Camac commented on TEIID-1247:
--------------------------------------
Thanks Ramesh for looking into the issue and identifying the root cause so quickly. One
the items you suggested:
1). Using the Teiid driver explicitly instead of the connection pool is a pattern we
probably would not use because it involves code changes. However, it is a possibility of
last resort.
2). I did try adding <security-domain/> to the <xa-datasource> element which
defined the local Teiid datasource but didn't observe any change in the test case. Is
this is the correct element? Is it supposed to be defined on the xa-datasource element?
3). Looking forward to the patch.
Passthrough Authentication on JDBC Connection not switching
identities
----------------------------------------------------------------------
Key: TEIID-1247
URL:
https://jira.jboss.org/browse/TEIID-1247
Project: Teiid
Issue Type: Bug
Components: Query Engine
Affects Versions: 7.1
Environment: Teiid: 7.1
JBoss: EAP 501
Java: 1.6.0_20 HotSpot 64-Bit Server VM 16.3-b01-279 (Apple Inc).
Teiid Datasources deployed as Embedded XA Datasource.
Reporter: Brenton Camac
Assignee: Ramesh Reddy
Fix For: 7.1.1, 7.2
When the Teiid datasource property 'PassthroughAuthentication' is enabled Teiid
does not switch the identity on that connection when the caller's identity is changed.
Such is typically the case when an existing connection is retrieved from the connection
pool (datasource.getConnection() ) by a different caller identity. Teiid should switch
the identity on that connection to the new caller's identity.
This is described in the Client Developer's Guide
(
http://docs.jboss.org/teiid/7.1.0.Final/client-developers-guide/en-US/htm...)
Section 1.2 - Datasource Connection in Table 1.2 / PassthroughAuthentication:
"... Teiid also verifies that the same user is using this connection during the
life of the connection. if it finds a different security context on the calling thread, it
switches the identity on the connection, if the new user is also eligible to log in to
Teiid otherwise connection fails to execute."
When the identity isn't switched as it should be one caller can initiate a connection
and another caller with a different identity will be presented to Teiid's
authorization facility as the other caller, resulting in incorrect authorization
decisions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira