1 2 Previous Next 17 Replies Latest reply on May 14, 2014 10:24 AM by Rakesh Balguri

    Unable to connect to Teiid Server using custom Security Domain

    Rakesh Balguri Expert

      Hi all,

       

      We are trying to upgrade our application from JBoss7.1.1 to EAP 6.1 Alpha and Teiid from 8.1 to 8.5.

      I am unable to connect to Teiid using the custom security domain but able to connect using the "teiid-security" security domain.

       

      The following is the snippet from the standalone-teiid.xml file:

       

      <security-domain name="chorus-teiid-security" cache-type="default">

        <authentication>

              <login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required"/>

          </authentication>

      </security-domain>

      <security-domain name="chorus-login-security" cache-type="default">

        <authentication>

              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">

                  <module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

              </login-module>

              <login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="sufficient"/>

          </authentication>

      </security-domain>

       

      <transport name="embedded">

          <authentication security-domain="chorus-login-security"/>

      </transport>

      <transport name="odata">

          <authentication security-domain="teiid-security"/>

      </transport>

      <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">

        <authentication security-domain="teiid-security,chorus-teiid-security"/>

      </transport>

       

      The following is the exception I get in the logs:

       

      [org.teiid.SECURITY] (New I/O worker #3) null TEIID40011 Processing exception 'TEIID50072 The username "testuser" and/or password and/or payload token could not be authenticated by any membership domain.' for session null.  Exception type org.teiid.client.security.LogonException thrown from org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:74). Enable more detailed logging to see the entire stacktrace.

       

      Please let me know if I need to make any changes in the configuration.

       

      Thanks,

      Rakesh.

        • 1. Re: Unable to connect to Teiid Server using custom Security Domain
          Ramesh Reddy Master

          That looks fine, how did you define the "module" for your custom login module file? Check this JBoss AS7: Security : Custom Login Modules

           

          You need to define "module" attribute on "login-module" element.

          • 2. Re: Unable to connect to Teiid Server using custom Security Domain
            Rakesh Balguri Expert

            It worked. We did not know that we had to add the module attribute to the login-module.

            It used to work without the module attribute.

            Thanks Ramesh.

            • 3. Re: Unable to connect to Teiid Server using custom Security Domain
              Ramesh Reddy Master

              Not in Teiid 8.x with JBoss AS7.x, unless you copied this jar somewhere else in the classpath before.

              • 4. Re: Unable to connect to Teiid Server using custom Security Domain
                Rakesh Balguri Expert

                Hi Ramesh,

                 

                We are upgrading to Teiid 8.7 Beta2 and we are facing the same problem eventhough we have defined the "module" attribute on "login-module" element.

                Also, we are using JBoss EAP6.1.0 Final.

                The following is the configuration:


                <security-domain name="chorus-teiid-security" cache-type="default">

                                    <authentication>

                                        <login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required" module="com.ca.chorus.common"/>

                                    </authentication>

                                </security-domain>

                                <security-domain name="chorus-cfar-security" cache-type="default">

                                    <authentication>

                                        <login-module code="com.ca.mfui.chorusR2.common.security.ChorusUsersRolesLoginModule" flag="required" module="com.ca.chorus.common">

                                            <module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

                                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

                                        </login-module>

                                    </authentication>

                                </security-domain>

                                <security-domain name="chorus-login-security" cache-type="default">

                                    <authentication>

                                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">

                                            <module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

                                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

                                        </login-module>

                                        <login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="sufficient" module="com.ca.chorus.common"/>

                                    </authentication>

                                </security-domain>

                 

                           <transport name="embedded">

                                <authentication security-domain="chorus-login-security"/>

                            </transport>

                            <transport name="odata">

                                <authentication security-domain="teiid-security"/>

                            </transport>

                            <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">

                                <authentication security-domain="teiid-security,chorus-teiid-security"/>

                            </transport>

                            <transport name="odbc" socket-binding="teiid-odbc" protocol="pg">

                                <authentication security-domain="teiid-security"/>

                            </transport>



                Please suggest.

                 

                Thanks

                Rakesh

                • 5. Re: Unable to connect to Teiid Server using custom Security Domain
                  Ramesh Reddy Master

                  Nothing has changed, just make sure you created the correct directory for your JAR in the "modules" directory and provided correct "module.xml" file. Then if it still does not work, what is the error message. If you are seeing "module" not found, then you configured incorrectly, double check your settings.

                   

                  Ramesh..

                  • 6. Re: Unable to connect to Teiid Server using custom Security Domain
                    Rakesh Balguri Expert

                    Thanks Ramesh.

                    I will re-checck the configuration.

                     

                    The following is the exception I get in the logs.

                     

                    01 Apr 2014 17:01:45,559 DEBUG [org.teiid.SECURITY] (New I/O worker #3) null authenticateUser sagra02 JDBC

                    01 Apr 2014 17:01:45,565 WARN  [org.teiid.SECURITY] (New I/O worker #3) null TEIID40011 Processing exception 'TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.' for session null.  Exception type org.teiid.client.security.LogonException thrown from org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:76).: org.teiid.client.security.LogonException: TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.

                      at org.teiid.transport.LogonImpl.logon(LogonImpl.java:149) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.transport.LogonImpl.logon(LogonImpl.java:117) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at sun.reflect.GeneratedMethodAccessor86.invoke(Unknown Source) [:1.7.0_03]

                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_03]

                      at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_03]

                      at org.teiid.transport.ServerWorkItem.run(ServerWorkItem.java:87) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:274) [teiid-engine-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.transport.SocketClientInstance.processMessagePacket(SocketClientInstance.java:207) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.transport.SocketClientInstance.receivedMessage(SocketClientInstance.java:193) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.transport.SSLAwareChannelHandler.messageReceived(SSLAwareChannelHandler.java:211) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.handler.stream.ChunkedWriteHandler.handleUpstream(ChunkedWriteHandler.java:142) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:787) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:462) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:443) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:560) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:555) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:107) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:312) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:88) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [netty-3.6.2.Final-redhat-1.jar:3.6.2.Final-redhat-1]

                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_03]

                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_03]

                      at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_03]

                    Caused by: javax.security.auth.login.LoginException: TEIID50072 The username "sagra02" and/or password and/or payload token could not be authenticated by any membership domain.

                      at org.teiid.jboss.JBossSessionService.authenticate(JBossSessionService.java:76) [teiid-jboss-integration-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.services.SessionServiceImpl.createSession(SessionServiceImpl.java:170) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      at org.teiid.transport.LogonImpl.logon(LogonImpl.java:134) [teiid-runtime-8.7.0.Beta2.jar:8.7.0.Beta2]

                      ... 34 more

                    • 7. Re: Unable to connect to Teiid Server using custom Security Domain
                      Ramesh Reddy Master

                      BTW, the transport element in Teiid 8.7 Beta2, only takes single security domain, so below is incorrect.

                       

                      <authentication security-domain="teiid-security,chorus-teiid-security"/>


                      Also, you can now add security-domain also in vdb.xml file, to use a particular security-domain for particular vdb.  Transport level configuration will still act as default one.


                      Ramesh..

                      • 8. Re: Unable to connect to Teiid Server using custom Security Domain
                        Rakesh Balguri Expert

                        Thanks Ramesh.

                         

                        Is there a waay by which we can specify multiple security domains at the transport level?

                         

                        <transport name="jdbc" socket-binding="teiid-jdbc" protocol="teiid">

                                        <authentication security-domain="teiid-security,chorus-teiid-security"/>

                        </transport>

                         

                        Also, can you please point me to the doc for adding the security-domain to the vdb.xml file?

                         

                        Thanks

                        Rakesh.

                        • 9. Re: Unable to connect to Teiid Server using custom Security Domain
                          Ramesh Reddy Master

                          Rakesh,

                           

                          Here is the documentation VDB Definition - Teiid 8.7 (draft) - Project Documentation Editor

                           

                          No, you can not specify multiple security domains on transport either. If you have need to have multiple authentication methods, then you can define them on single "security-domain" with multiple "login" modules. It would give you same functionality. For example

                           

                          {code}

                          <security-domain name="teiid-security" cache-type="default">

                             <authentication>

                              <login-module code="com.ca.mfui.chorusR2.common.security.ChorusLoginModule" flag="required" module="com.ca.chorus.common"/>    

                              <login-module code="UserRoles" flag="sufficient">

                                   <module-option name="password-stacking" value="useFirstPass" />

                                   <module-option name="usersProperties" value="teiid-users.properties" />

                                   <module-option name="rolesProperties" value="teiid-roles.properties" />

                               </login-module>

                             </authentication>

                          </security-domain>

                          {code}

                           

                          there is no need for verbose definitions of security domains, it was old concept before the login-modules that got carried over from old versions.

                           

                          Ramesh..

                          • 11. Re: Unable to connect to Teiid Server using custom Security Domain
                            Steven Hawkins Master

                            We'll also need to call this out more in the docs/release notes in case others are attempting to use the old style configuration.  We may even need to 8.7.1 offer the ability to still use the old style multiple security domains per transport.

                            • 12. Re: Unable to connect to Teiid Server using custom Security Domain
                              Steven Hawkins Master

                              > We may even need to 8.7.1 offer the ability to still use the old style multiple security domains per transport.

                               

                              8.7.1 and 8.8 will have [TEIID-2928] Allow for backwards compatibility with multiple security domains per transport - JBoss Issue Tracker but that will only be to bridge until 9.  It's much cleaner to associate a single security domain per vdb.

                              • 13. Re: Unable to connect to Teiid Server using custom Security Domain
                                Rakesh Balguri Expert

                                Hi,

                                 

                                We have applied the patch for the issue [TEIID-2928] Allow for backwards compatibility with multiple security domains per transport - JBoss Issue Tracker to Teiid 8.7 source code as we did not wanted to change anything in our code related to the Security Domains and authentication.

                                We are able to specify multiple security domains but we are facing a problem.

                                 

                                When ever we call the executionContext.getSubject() to retrieve the Subject, it always returns null.

                                 

                                Do we know why it always returns null? Any pointers to debug and fix this?

                                • 14. Re: Unable to connect to Teiid Server using custom Security Domain
                                  Ramesh Reddy Master

                                  You can start debugging in the SessionServiceImpl class, createSession method and see what is occurring with authentication and why you are seeing null.

                                  1 2 Previous Next