In prior releases of Teiid <=6.2, Teiid provided a client token based identity switching. However starting with Teiid 7.0, Teiid uses JAAS based authentication and the previous techinique is no longer supported.
Currently this is logged as feature request in Teiid JIRA. Please watch the JIRA and vote for it if you would like to bump up the priority of this feature.
However Teiid does support pass through authentication starting from Teiid 7.1 release.
I am not sure if your client application also resides in the same VM as the JBoss AS or not, i.e. if you are using Teiid with EJB or web-services etc in JBoss AS, if you are, then you can use the "local" connection to Teiid which works with out socket based communication, then making a new connection every time is not as expensive as from remote VMs.
Ramesh, thanks for the references and background.
To answer your question; our target architecture is indeed multi-tiered. The application components reside in their own VMs separate to a Teiid-dedicated VM.
Pass-through authentication (https://jira.jboss.org/browse/TEIID-1048) looks like it can achieve what we need but as you point out its only for local (embedded) datasource use. Thus, I expect we'll need to develop a proxy datasource which can be installed remotely and proxy the requests to a local instance. Or alternatively locate the VDBs with each application's VM.
Any thoughts on extending the Passthrough functionality to work with non-embedded datasource use?
Sounds like your other VMs are also JBoss AS, so you must be using connection pools by JBoss JCA. If that is case, you can use different JBoss JCA Connection pooling strategies for creating your pool. In particular check out "PoolBySubject". I think this may satisfy your needs.
Look in this example for configuration sample.
Proxy strategy seems lot of work, as you need to stack your proxy data source on the local embedded one and provide all the remote communication framework, thus essentially developing proxy JDBC Driver. I would rather deploy my VDB locally every where, and look into scripts to keep these VDBs in sync in my cluster.
Let us if the above suggestion works, as I myself has not tried this before.
Correction, the above "PoolBySubject" will not work as is. For this to work, you would need to provide your own JAAS module, that given incoming Subject, this module needs to figure out (or have a map of) the user-id and password for Teiid security domain and make connection using them. Thus making the AS think that pool is segregated by the subject.
If you do not mind keeping passwords inside the application code see the "PoolByCRI" or "application-managed-security". That will work IMO.
If you are not writing your own JAAS module but like to keep the pool segregated by the subject "PoolBySubject", here is some useful info. http://community.jboss.org/docs/DOC-9350
Also, my assumption above about "application-managed-security" will only work when you follow the above.