[teiid-issues] [JBoss JIRA] Resolved: (TEIID-1247) Passthrough Authentication on JDBC Connection not switching identities

Ramesh Reddy (JIRA) jira-events at lists.jboss.org
Sat Sep 4 11:50:52 EDT 2010 

     [ https://jira.jboss.org/browse/TEIID-1247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ramesh Reddy resolved TEIID-1247.
---------------------------------

    Resolution: Done


The identity switching is happening as expected on the calling thread when Teiid finds the new subject, however the "local" connection object was caching the allowed policies for the user, and was not flushing policies out when the previous session associated with that "local" connection changed. Thus the behaviour, and now fixed.

So, it in all other scenarios, expect for role checking this works as expected. Also couple other workarounds are

1) do not use the pool, and create "local" a connection every time using Teiid driver in your client code. I suspect since it is local it is not expensive, as it only creates a session object, not actual authentication happens.
2) you can configure the JBoss pool by subject. Check here. http://community.jboss.org/docs/DOC-10430 (please let us know how this works)
3) Apply the patch from this JIRA or wait for the  7.2.alpha2 release.

> Passthrough Authentication on JDBC Connection not switching identities
> ----------------------------------------------------------------------
>
>                 Key: TEIID-1247
>                 URL: https://jira.jboss.org/browse/TEIID-1247
>             Project: Teiid
>          Issue Type: Bug
>          Components: Query Engine
>    Affects Versions: 7.1
>         Environment: Teiid: 7.1
> JBoss: EAP 501
> Java: 1.6.0_20  HotSpot 64-Bit Server VM 16.3-b01-279  (Apple Inc).
> Teiid Datasources deployed as Embedded XA Datasource.
>            Reporter: Brenton Camac
>            Assignee: Ramesh Reddy
>             Fix For: 7.1.1, 7.2
>
>
> When the Teiid datasource property 'PassthroughAuthentication' is enabled Teiid does not switch the identity on that connection when the caller's identity is changed.  Such is typically the case when an existing connection is retrieved from the connection pool (datasource.getConnection() )  by a different caller identity.  Teiid should switch the identity on that connection to the new caller's identity.
> This is described in the Client Developer's Guide (http://docs.jboss.org/teiid/7.1.0.Final/client-developers-guide/en-US/html_single/) Section 1.2 - Datasource Connection in Table 1.2 / PassthroughAuthentication:
>  
> "...  Teiid also verifies that the same user is using this connection during the life of the connection. if it finds a different security context on the calling thread, it switches the identity on the connection, if the new user is also eligible to log in to Teiid otherwise connection fails to execute."
> When the identity isn't switched as it should be one caller can initiate a connection and another caller with a different identity will be presented to Teiid's authorization facility as the other caller, resulting in incorrect authorization decisions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list