4 Replies Latest reply on Sep 9, 2010 5:47 PM by Ramesh Reddy

    Verfying login when client connects to Teiid

    Charles E Simon Newbie

      I cannot seem to get control when the client application connects to Teiid to use my VDB.




      I have created a resource adapter that contains classes that subclass: BasicManagedConnectionFactory, BasicConnectionFactory, and BasicConnection.  They also use the WrappedConnectionFactory and WrappedConnection classes.


      The ra.xml file specifies my ManagedConnectionFactory (subclass of BasicManagedConnectionFactory), WrappedConnectionFactory, and WrappedConnection.  My ManagedConnectionFactory class returns my ConnectionFactory wrapped in a WrappedConnectionFactory when its createConnectionFactory method is invoked.  When the WrappedConnectionFactory object is asked for a connection object it goes through the normal JBoss ConnectionManager processing that gets to the BasicManagedConnectionFactory which creates a BasicManagedConnection object that asks my ConnectionFactory object for a connection.  My connection factory object creates a Connection object of my connection type when getConnection() is invoked.  My connection object gets wrapped up in a WrappedConnection by BasicManagedConnection and that is passed around by Teiid.


      I have an XXX-ds.xml file that defines the data source and properties that get stored in my ManagedConnectionFactory object.  I have a XXX-vdb.xml file that references the JNDI name in the XXX-ds.xml file.  All the properties and configuration parameters are set into the appropriate objects.


      A ManagedConnectionFactory and ConnectionFactory are created for each JNDI name in the XXX-ds.xml file when it deploys.  Which happens before any translators are deployed or VDB are activated. This is earlier than I would expect.


      I get an ExecutionFactory object for each model in the VDB when it is deployed into a active state.


      At no time during this processing is there a valid Subject, nor would I expect there to be since the client app has not yet connected.




      When a client app connects to Teiid to access my VDB, I do not see any activity in my LoginModule or the creation of any connection objects (managed or plain).


      I fact I don't see anything happening in my code until my ExecutionFactory is called to get a connection to process the SELECT statement the client sent to Teiid.  I would expect to see something happen when the initial connection is made by the client app.


      WHAT am I doing wrong?

        • 1. Re: Verfying login when client connects to Teiid
          Ramesh Reddy Master



          If you added your own LoginModule then you need to configure Teiid to use this LoginModule in the teiid-jboss-beans.xml file. Check the SessionService bean in this file. I want to make sure this Login Module if for the Teiid not for your source.


          The behavior is right for the execution factory. Teiid will not try to connect to the sources until it is required by the query engine. The runtime only validates client credentials and creates a session when the initial connection is made.


          If you are looking for your sources to use a separate login module, then you need to provide a "security-domain" property in the -ds.xml file. This defines the JAAS module to used for the source. Check here http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch7.chapt.html.


          If you simply want the access to the logged in Subject, when the source connection is made, then look at "ConnectionContext" thread local object in your resource adapter.



          Hope this helps.



          • 2. Re: Verfying login when client connects to Teiid
            Charles E Simon Newbie

            Thanks for tip on where to look. I will try that.


            Thinking toward the future I noticed right above and below the "security-domain" description in chapter 7 there is mention of application managed secuity.


            I am thinking this might be a better fit for me because I don't know which one of many servers I will be accessing until the client connects.


            The other reason I think this might be a better fit is to support a federated VDB that is a combination of my VDB and say a VDB that accesses another SQL engine (SQL Server or Oracle).  This second case would require 2 different sets of credentials.  One for my server and a second for accessing the the SQL engine.


            How does one set app mamanged security and how are the credentials passed in?  Are they passed as connection parameters?

            • 3. Re: Verfying login when client connects to Teiid
              Ramesh Reddy Master

              Teiid does not support passing as in connection parameters.


              Using <application-managed-security/>, you pass-in user name and password like


              DataSource ds = context.lookup("java:myDS");
              Connection connection = ds.getConnection("user", "pass");


              This connection strategy can be only used by connections that are made by the client code. Teiid does not a way to pass-in user and password so that it can not use the above strategy with the data sources it interacts. Teiid only calls "getConnection()" method.


              If <security-domain>foo<security-domain> is used, JBoss AS looks at the private credentials of this "subject" who is logged in to "foo" domain and takes the user name and password properties and users them to login credentials to the underlaying data source. This strategy should work through Teiid. However, so far I have not figured out how one can set these "private" credentials. If I find out, it I will let you know.


              I am little confused about your deployment model is with mutiple VDBs and their required security checks. Is it possible for you to draw a picture to easily understand perhaps?





              • 4. Re: Verfying login when client connects to Teiid
                Ramesh Reddy Master

                To use "security-domain", but pass in a different user, see this http://community.jboss.org/docs/DOC-9350


                However, other than segmenting the pool by the logged in subject, this does not provide a way to pass in unique user name and password for each subject. So in that respect it is no better than not having it in your case IMO.