[teiid-issues] [JBoss JIRA] (TEIID-4183) MSSQL JDBC driver invalidates kerberos ticket on Connection.close()

Ramesh Reddy (JIRA) issues at jboss.org
Mon Jun 27 20:49:00 EDT 2016 

     [ https://issues.jboss.org/browse/TEIID-4183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ramesh Reddy resolved TEIID-4183.
---------------------------------
    Fix Version/s: 9.1
                       (was: 9.0)
       Resolution: Done


[~jdurani] Thanks. I had the previous one almost setup correctly but I forgot to copy a config file. I was able to finally duplicate the issue.

It came about, the way I was wrapping is correct, but it is alone is not sufficient. The subject I was using was not correct. Using the credential, one needs to create new subject using a security libraries, which will have a  krb token for the delegated user. Then the credential matches with the user. I corrected it based on EAP implementation pattern, now it works as expected. See if you can build it locally and test (you can just copy the teiid-jboss-integration-8.12.5.jar) into the server.

> MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
> -------------------------------------------------------------------
>
>                 Key: TEIID-4183
>                 URL: https://issues.jboss.org/browse/TEIID-4183
>             Project: Teiid
>          Issue Type: Bug
>    Affects Versions: 8.12.x, 8.7.5.6_2
>            Reporter: Juraj Duráni
>            Assignee: Ramesh Reddy
>             Fix For: 9.1, 8.12.5
>
>
> MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla \[1\]).
> If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option *wrapGSSCredential=true* with additional setting *credentialLifetime=-1* \[2, 3, 4, 5\]. This works for static kerberos authentication.
> However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client.
> \[1\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276
> \[2\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
> \[3\] https://issues.jboss.org/browse/SECURITY-905
> \[4\] https://issues.jboss.org/browse/JBEAP-843
> \[5\] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the teiid-issues mailing list