[teiid-issues] [JBoss JIRA] (TEIID-4183) MSSQL JDBC driver invalidates kerberos ticket on Connection.close()

Wed Jun 29 02:31:00 EDT 2016

    [ https://issues.jboss.org/browse/TEIID-4183?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13258261#comment-13258261 ] 

Juraj Duráni commented on TEIID-4183:
-------------------------------------

(1) - I can see in the (trace) log of EAP's pool, that there is no available connection in the pool before each query (Available (0), InUse (0)). I might be an issue with connection pooling in EAP rather than MSSQL JDBC driver issue. I use code similar to \[1\]. I am not talking about re-using MSSQL connection for different users.
As far as I know, there is some problem with connection pooling in case of kerberos authentication. Without cache, EAP creates new connection pool for each _connect()_ call. But according to ironjacamar's developer, this require change in the design, which will probably not happen before WildFly 14 (https://bugzilla.redhat.com/show_bug.cgi?id=1166719)
(2) - I did not set prefill parameter so it should be false by default. From the EAP documentation: _Whether to try to prefill the connection pool. The default is false._
(3) - > _You mean this using the connection second time?_ - No I mean for the first time. And the exception is not thrown from the driver \[2\].
(4) - >_BTW, this is specific to SQLServer again._ Seems to be. I tried Oracle and test passed.
(5) - > _I do suspect this should NOT affect any of the current test scripts IMO, but if you are seeing any variance please let me know, we will figure out the issue._ - I have updated tests, so they use different pass-through login modules (for each data source - What do you think? Shouldn't be pass-through module independent? I mean, that you should be able to use one login module for every DS no matter what kind of authentication it uses?). I believe, this is enough for now.

{code:java|title=\[1\] Test code}
for(int i = 0; i < COUNT; i++){
    teiidConnection.createStatement().execute("SELECT * FROM us");
}
{code}

{code:plain|title=\[2\]}
08:36:20,142 INFO  [MultiPlatformProcessRunner] 	at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.1.2.Final-redhat-1.jar:4.1.2.Final-redhat-1]
{code}

> MSSQL JDBC driver invalidates kerberos ticket on Connection.close()
> -------------------------------------------------------------------
>
>                 Key: TEIID-4183
>                 URL: https://issues.jboss.org/browse/TEIID-4183
>             Project: Teiid
>          Issue Type: Bug
>    Affects Versions: 8.12.x, 8.7.5.6_2
>            Reporter: Juraj Duráni
>            Assignee: Ramesh Reddy
>             Fix For: 9.1, 8.12.5
>
>
> MSSQL JDBC driver invalidate kerberos ticket on Connection.close() (related bugzilla \[1\]).
> If user creates kerberos connection, driver invalidates ticket on closing connection (Connection.close()). Therefore ticket cannot be re-used. EAP team creates a workaround for this by adding module option *wrapGSSCredential=true* with additional setting *credentialLifetime=-1* \[2, 3, 4, 5\]. This works for static kerberos authentication.
> However, passthrough authentication (org.teiid.jboss.PassthroughIdentityLoginModule) does not work, because passed ticket is not managed by EAP but by client.
> \[1\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276
> \[2\] https://bugzilla.redhat.com/show_bug.cgi?id=1097276#c58
> \[3\] https://issues.jboss.org/browse/SECURITY-905
> \[4\] https://issues.jboss.org/browse/JBEAP-843
> \[5\] https://github.com/wildfly-security/jboss-negotiation/commit/0c7e06f58a79855d5ae2fbe6cb662e90baf7a5d4

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)