5 Replies Latest reply on Sep 9, 2014 5:39 PM by haifen_bi

Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

haifen_bi Sep 5, 2014 11:13 AM

We connect to Teiid using local connection and PassthroughAuthentication=true. In Teiid 8.7, switching Identity is not working, generating following errors after a second user tried to connect to Teiid:

09:11:04,655 INFO [org.teiid.SECURITY] (http-/0.0.0.0:8080-2) TEIID40115 Local pass-through connection implicitly closing session 1I4iq/wGO27I so that the connection can be used in a different security context.

09:11:04,658 SEVERE [org.teiid.SECURITY] (http-/0.0.0.0:8080-2) TEIID40087 Passthrough authentication failed. No authentication information found.

To reproduce same issue:

(1) Connect to Teiid using local connection and set PassthroughAuthentication=true;

(2) Added following security domain:

<security-domain name="test-security-domain" cache-type="default">

<login-module code="UsersRoles" flag="required">

<module-option name="usersProperties" value="${jboss.server.config.dir}/test-security-users.properties"/>

<module-option name="rolesProperties" value="${jboss.server.config.dir}/test-security-roles.properties"/>

<module-option name="password-stacking" value="useFirstPass"/>

</login-module>

</authentication>

</security-domain>

(3) Set following in standalone-xx.xml

</transport>

</transport>

</transport>

(4) Connect to Teiid using first user, successful

(5) Connect to Teiid using a different user, a passthrough authentication failed error is generated from teiid.

I tried same test case against Teiid 8.4, different users were able to connect teiid without any issue.

Any help is much appreciated.

Thanks,

Haifen

1. Re: Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

rareddy Sep 5, 2014 11:52 AM (in response to haifen_bi)

How are you switching users? What is your client application look like?

I would expect the above is correct when PassthroughAuthentication= true, unless you are re-authenticating the second user independent of Teiid.
Actions
2. Re: Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

haifen_bi Sep 5, 2014 12:22 PM (in response to rareddy)

(1) All users in this case are part of test-security-domain that uses Login Module "UserRoles"
(2) Our Application is ODATA/JPA resides in the same JBoss AS instance as Teiid. We configure Teiid to use the same security domain as our application's security domain (test-security-domain mentioned above ) and not force the user to re-authenticate.
(3) Debugging Teiid 8.7 source code indicated the second user's security context with correct subject was pass to Teiid/JBOSS, but it failed to find it during authenticate() after it closed the session to use second user's security context.
Actions
3. Re: Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

rareddy Sep 8, 2014 6:54 AM (in response to haifen_bi)

Haifen,

IMO, there is not much you gain from using switching user on LocalConnection as there is minimal overhead and no socket connection. However, if need to switch user i.e re-use same connection with different user, you need to use procedure defined here https://docs.jboss.org/author/display/TEIID/Reauthentication.

When using the pass through authentication, I am not sure how you configured. Did you configure data source configuration in standalone-teiid.xml for LocalConnection? Or you trying to create one dynamically? I do not think Teiid even supports this!

Ramesh..
Actions
4. Re: Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

haifen_bi Sep 8, 2014 10:50 AM (in response to rareddy)

Ramesh, thanks for the response.

(1) We didn't configure data source for LocalConnection.
(2) We have been using Teiid local connection and pass through authentication to get data source metadata for quite a while without any issue. we created Teiid local connection using:
jdbc:teiid:VDB_NAME;version=1;PassthroughAuthentication=true;fetchSize=2048;ApplicationName=App1;VirtualDatabaseName=db1;useCallingThread=false;
(3) Now there is a need in our application to retrieve the user specific information along with data source metadata and we try to use same teiid local connection session but different users.
(4) I will try out the suggested Teiid procedure and posted on the forum..

Thanks,
Haifen
Actions
5. Re: Switch identity using Teiid local connection and PassthroughAuthentication is not working in Teiid 8.7

haifen_bi Sep 9, 2014 5:39 PM (in response to haifen_bi)

Hi Ramesh,

we have changed to access data source defined in standalone-.xml and not trying to create one dynamically. Now Teiid is able to switch identity without any issue.

Thank you very much for all your help.
Actions

Go to original post