-
1. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy Sep 20, 2013 7:51 AM (in response to rakeshsagar)That looks fine, how did you define the "module" for your custom login module file? Check this JBoss AS7: Security : Custom Login Modules
You need to define "module" attribute on "login-module" element.
-
2. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar Sep 20, 2013 10:30 AM (in response to rareddy)It worked. We did not know that we had to add the module attribute to the login-module.
It used to work without the module attribute.
Thanks Ramesh.
-
3. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy Sep 20, 2013 10:34 AM (in response to rakeshsagar)Not in Teiid 8.x with JBoss AS7.x, unless you copied this jar somewhere else in the classpath before.
-
4. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar Apr 1, 2014 8:13 AM (in response to rareddy)Hi Ramesh,
We are upgrading to Teiid 8.7 Beta2 and we are facing the same problem eventhough we have defined the "module" attribute on "login-module" element.
Also, we are using JBoss EAP6.1.0 Final.
The following is the configuration:
<security-domain name="chorus-teiid-security" cache-type="default">
<authentication>
<login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required" module="com.ca.chorus.common"/>
</authentication>
</security-domain>
<security-domain name="chorus-cfar-security" cache-type="default">
<authentication>
<login-module code="com.ca.mfui.chorusR2.common.security.ChorusUsersRolesLoginModule" flag="required" module="com.ca.chorus.common">
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="chorus-login-security" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
<login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="sufficient" module="com.ca.chorus.common"/>
</authentication>
</security-domain>
<transport name="embedded">
<authentication security-domain="chorus-login-security"/>
</transport>
<transport name="odata">
<authentication security-domain="teiid-security"/>
</transport>
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
<authentication security-domain="teiid-security,chorus-teiid-security"/>
</transport>
<transport name="odbc" socket-binding="teiid-odbc" protocol="pg">
<authentication security-domain="teiid-security"/>
</transport>
Please suggest.
Thanks
Rakesh
-
5. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy Apr 1, 2014 8:29 AM (in response to rakeshsagar)Nothing has changed, just make sure you created the correct directory for your JAR in the "modules" directory and provided correct "module.xml" file. Then if it still does not work, what is the error message. If you are seeing "module" not found, then you configured incorrectly, double check your settings.
Ramesh..
-
6. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar Apr 1, 2014 10:15 AM (in response to rareddy)Thanks Ramesh.
I will re-checck the configuration.
The following is the exception I get in the logs.
01 Apr 2014 17:01:45,559 DEBUG [org.teiid.SECURITY] (New I/O worker #3) null authenticateUser sagra02 JDBC
01 Apr 2014 17:01:45,565 WARN [org.teiid.SECURITY] (New I/O worker #3) null TEIID40011 Processing exception 'TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.' for session null. Exception type org.teiid.client.security.LogonException thrown from org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:76).: org.teiid.client.security.LogonException: TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.
at org.teiid.transport.LogonImpl.logon(LogonImpl.java:149) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.transport.LogonImpl.logon(LogonImpl.java:117) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [:1.7.0_03]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]
at org.teiid.transport.ServerWorkItem.run(ServerWorkItem.java:87) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:274) [teiid-engine-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.transport.SocketClientInstance.processMessagePacket(SocketClientInstance.java:207) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.transport.SocketClientInstance.receivedMessage(SocketClientInstance.java:193) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.transport.SSLAwareChannelHandler.messageReceived(SSLAwareChannelHandler.java:211) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:555) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:107) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_03]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_03]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]
Caused by: javax.security.auth.login.LoginException: TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.
at org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:76) [teiid-jboss-integration-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.services.SessionServiceImpl.createSession(SessionServiceImpl.java:170) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
at org.teiid.transport.LogonImpl.logon(LogonImpl.java:134) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]
... 34 more
-
7. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy Apr 1, 2014 10:35 AM (in response to rakeshsagar)BTW, the transport element in Teiid 8.7 Beta2, only takes single security domain, so below is incorrect.
<authentication security-domain="teiid-security,chorus-teiid-security"/>
Also, you can now add security-domain also in vdb.xml file, to use a particular security-domain for particular vdb. Transport level configuration will still act as default one.
Ramesh..
-
8. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar Apr 2, 2014 12:23 AM (in response to rareddy)Thanks Ramesh.
Is there a waay by which we can specify multiple security domains at the transport level?
<transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">
<authentication security-domain="teiid-security,chorus-teiid-security"/>
</transport>
Also, can you please point me to the doc for adding the security-domain to the vdb.xml file?
Thanks
Rakesh.
-
9. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy Apr 2, 2014 9:06 AM (in response to rakeshsagar)Rakesh,
Here is the documentation VDB Definition - Teiid 8.7 (draft) - Project Documentation Editor
No, you can not specify multiple security domains on transport either. If you have need to have multiple authentication methods, then you can define them on single "security-domain" with multiple "login" modules. It would give you same functionality. For example
{code}
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required" module="com.ca.chorus.common"/>
<login-module code="UserRoles" flag="sufficient">
<module-option name="password-stacking" value="useFirstPass" />
<module-option name="usersProperties" value="teiid-users.properties" />
<module-option name="rolesProperties" value="teiid-roles.properties" />
</login-module>
</authentication>
</security-domain>
{code}
there is no need for verbose definitions of security domains, it was old concept before the login-modules that got carried over from old versions.
Ramesh..
-
10. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar Apr 3, 2014 12:22 AM (in response to rareddy)Thanks Ramesh.
-
11. Re: Unable to connect to Teiid Server using custom Security Domain
shawkins Apr 3, 2014 6:34 AM (in response to rakeshsagar)We'll also need to call this out more in the docs/release notes in case others are attempting to use the old style configuration. We may even need to 8.7.1 offer the ability to still use the old style multiple security domains per transport.
-
12. Re: Unable to connect to Teiid Server using custom Security Domain
shawkins Apr 16, 2014 7:15 PM (in response to shawkins)> We may even need to 8.7.1 offer the ability to still use the old style multiple security domains per transport.
8.7.1 and 8.8 will have [TEIID-2928] Allow for backwards compatibility with multiple security domains per transport - JBoss Issue Tracker but that will only be to bridge until 9. It's much cleaner to associate a single security domain per vdb.
-
13. Re: Unable to connect to Teiid Server using custom Security Domain
rakeshsagar May 13, 2014 11:38 AM (in response to shawkins)Hi,
We have applied the patch for the issue [TEIID-2928] Allow for backwards compatibility with multiple security domains per transport - JBoss Issue Tracker to Teiid 8.7 source code as we did not wanted to change anything in our code related to the Security Domains and authentication.
We are able to specify multiple security domains but we are facing a problem.
When ever we call the executionContext.getSubject() to retrieve the Subject, it always returns null.
Do we know why it always returns null? Any pointers to debug and fix this?
-
14. Re: Unable to connect to Teiid Server using custom Security Domain
rareddy May 13, 2014 12:41 PM (in response to rakeshsagar)You can start debugging in the SessionServiceImpl class, createSession method and see what is occurring with authentication and why you are seeing null.