use of org.teiid.client.security.LogonResult in project teiid by teiid.
the class GssAction method authenticate.
public static LogonResult authenticate(ILogon logon, Properties props) throws LogonException, TeiidComponentException, CommunicationException {
if (logger.isLoggable(Level.FINE)) {
// $NON-NLS-1$
logger.fine("GSS Authentication Request");
}
Object result = null;
StringBuilder errors = new StringBuilder();
String jaasApplicationName = props.getProperty(TeiidURL.CONNECTION.JAAS_NAME);
// $NON-NLS-1$
String nl = System.getProperty("line.separator");
if (jaasApplicationName == null) {
// $NON-NLS-1$
jaasApplicationName = "Teiid";
}
String kerberosPrincipalName = props.getProperty(TeiidURL.CONNECTION.KERBEROS_SERVICE_PRINCIPLE_NAME);
if (kerberosPrincipalName == null) {
try {
TeiidURL url = new TeiidURL(props.getProperty(TeiidURL.CONNECTION.SERVER_URL));
// $NON-NLS-1$
kerberosPrincipalName = "TEIID/" + url.getHostInfo().get(0).getHostName();
} catch (Exception e) {
// Ignore exception
}
if (kerberosPrincipalName == null) {
// $NON-NLS-1$
errors.append(JDBCPlugin.Util.getString("client_prop_missing", TeiidURL.CONNECTION.KERBEROS_SERVICE_PRINCIPLE_NAME));
errors.append(nl);
}
}
// $NON-NLS-1$
String krb5 = System.getProperty("java.security.krb5.conf");
// $NON-NLS-1$
String realm = System.getProperty("java.security.krb5.realm");
// $NON-NLS-1$
String kdc = System.getProperty("java.security.krb5.kdc");
if (krb5 == null && realm == null && kdc == null) {
// $NON-NLS-1$
errors.append(JDBCPlugin.Util.getString("no_gss_selection"));
errors.append(nl);
} else if (krb5 != null && (realm != null || kdc != null)) {
// $NON-NLS-1$
errors.append(JDBCPlugin.Util.getString("ambigious_gss_selection"));
errors.append(nl);
} else if ((realm != null && kdc == null) || (realm == null && kdc != null)) {
// krb5 is null here..
if (realm == null) {
// $NON-NLS-1$ //$NON-NLS-2$
errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.krb5.realm"));
errors.append(nl);
}
if (kdc == null) {
// $NON-NLS-1$ //$NON-NLS-2$
errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.krb5.kdc"));
errors.append(nl);
}
}
// $NON-NLS-1$
String config = System.getProperty("java.security.auth.login.config");
if (config == null) {
// $NON-NLS-1$ //$NON-NLS-2$
errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.auth.login.config"));
errors.append(nl);
}
try {
String user = props.getProperty(TeiidURL.CONNECTION.USER_NAME);
String password = props.getProperty(TeiidURL.CONNECTION.PASSWORD);
boolean performAuthentication = true;
GSSCredential gssCredential = null;
Subject sub = Subject.getSubject(AccessController.getContext());
if (sub != null) {
Set<GSSCredential> gssCreds = sub.getPrivateCredentials(GSSCredential.class);
if (gssCreds != null && gssCreds.size() > 0) {
gssCredential = gssCreds.iterator().next();
performAuthentication = false;
if (logger.isLoggable(Level.FINE)) {
// $NON-NLS-1$
logger.fine("GSS Authentication using delegated credential");
}
} else {
if (logger.isLoggable(Level.FINE)) {
// $NON-NLS-1$
logger.fine("No delegation credential found in the subject");
}
}
}
if (performAuthentication) {
if (errors.length() > 0) {
throw new LogonException(JDBCPlugin.Event.TEIID20005, errors.toString());
}
LoginContext lc = new LoginContext(jaasApplicationName, new GSSCallbackHandler(user, password));
lc.login();
sub = lc.getSubject();
}
PrivilegedAction action = new GssAction(logon, kerberosPrincipalName, props, user, gssCredential);
result = Subject.doAs(sub, action);
} catch (Exception e) {
throw new LogonException(JDBCPlugin.Event.TEIID20005, e, JDBCPlugin.Util.gs(JDBCPlugin.Event.TEIID20005));
}
if (result instanceof LogonException) {
throw (LogonException) result;
} else if (result instanceof TeiidComponentException) {
throw (TeiidComponentException) result;
} else if (result instanceof CommunicationException) {
throw (CommunicationException) result;
} else if (result instanceof Exception) {
throw new LogonException(JDBCPlugin.Event.TEIID20005, (Exception) result, JDBCPlugin.Util.gs(JDBCPlugin.Event.TEIID20005));
}
return (LogonResult) result;
}
use of org.teiid.client.security.LogonResult in project teiid by teiid.
the class LogonImpl method logon.
private LogonResult logon(Properties connProps, byte[] krb5ServiceTicket, AuthenticationType authType, String user) throws LogonException {
String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
String applicationName = connProps.getProperty(TeiidURL.CONNECTION.APP_NAME);
String password = connProps.getProperty(TeiidURL.CONNECTION.PASSWORD);
Credentials credential = null;
if (password != null) {
credential = new Credentials(password.toCharArray());
}
try {
SessionMetadata sessionInfo = service.createSession(vdbName, vdbVersion, authType, user, credential, applicationName, connProps);
if (connProps.get(GSSCredential.class.getName()) != null) {
addCredentials(sessionInfo.getSubject(), (GSSCredential) connProps.get(GSSCredential.class.getName()));
}
updateDQPContext(sessionInfo);
if (DQPWorkContext.getWorkContext().getClientAddress() == null) {
sessionInfo.setEmbedded(true);
}
// if (oldSessionId != null) {
// TODO: we should be smarter about disassociating the old sessions from the client. we'll just rely on
// ping based clean up
// }
LogonResult result = new LogonResult(sessionInfo.getSessionToken(), sessionInfo.getVDBName(), clusterName);
if (krb5ServiceTicket != null) {
result.addProperty(ILogon.KRB5TOKEN, krb5ServiceTicket);
}
return result;
} catch (LoginException e) {
throw new LogonException(e);
} catch (SessionServiceException e) {
throw new LogonException(e);
}
}
use of org.teiid.client.security.LogonResult in project teiid by teiid.
the class LogonImpl method logon.
public LogonResult logon(Properties connProps) throws LogonException {
String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
String user = connProps.getProperty(TeiidURL.CONNECTION.USER_NAME, CoreConstants.DEFAULT_ANON_USERNAME);
boolean onlyAllowPassthrough = Boolean.valueOf(connProps.getProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION, // $NON-NLS-1$
"false"));
AuthenticationType authType = AuthenticationType.USERPASSWORD;
if (!onlyAllowPassthrough) {
authType = this.service.getAuthenticationType(vdbName, vdbVersion, user);
}
// the presence of the KRB5 token take as GSS based login.
if (connProps.get(ILogon.KRB5TOKEN) != null) {
if (authType == AuthenticationType.GSS) {
Object previous = null;
boolean assosiated = false;
SecurityHelper securityHelper = service.getSecurityHelper();
try {
byte[] krb5Token = (byte[]) connProps.get(ILogon.KRB5TOKEN);
Object securityContext = this.gssServiceTickets.remove(Base64.encodeBytes(MD5(krb5Token)));
if (securityContext == null) {
throw new LogonException(RuntimePlugin.Event.TEIID40054, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40054));
}
previous = securityHelper.associateSecurityContext(securityContext);
assosiated = true;
return logon(connProps, krb5Token, AuthenticationType.GSS, user);
} finally {
if (assosiated) {
securityHelper.associateSecurityContext(previous);
}
}
} else {
// shouldn't really get here, but we'll try user name password anyway
}
} else if (authType == AuthenticationType.GSS) {
Version v = DQPWorkContext.getWorkContext().getClientVersion();
// send a login result with a GSS challange
if (v.compareTo(Version.EIGHT_7) >= 0) {
LogonResult result = new LogonResult();
result.addProperty(ILogon.AUTH_TYPE, authType);
return result;
}
// throw an exception
throw new LogonException(RuntimePlugin.Event.TEIID40149, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40149));
}
if (!AuthenticationType.USERPASSWORD.equals(authType)) {
throw new LogonException(RuntimePlugin.Event.TEIID40055, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40055, authType));
}
return logon(connProps, null, AuthenticationType.USERPASSWORD, user);
}
use of org.teiid.client.security.LogonResult in project teiid by teiid.
the class LogonImpl method neogitiateGssLogin.
@Override
public LogonResult neogitiateGssLogin(Properties connProps, byte[] serviceTicket, boolean createSession) throws LogonException {
String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
String user = connProps.getProperty(BaseDataSource.USER_NAME);
AuthenticationType authType = this.service.getAuthenticationType(vdbName, vdbVersion, user);
if (!AuthenticationType.GSS.equals(authType)) {
// $NON-NLS-1$
throw new LogonException(RuntimePlugin.Event.TEIID40055, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40055, "Kerberos"));
}
// Using SPENGO security domain establish a token and subject.
GSSResult result = neogitiateGssLogin(serviceTicket, vdbName, vdbVersion, user);
if (!result.isAuthenticated() || !createSession) {
// $NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
LogonResult logonResult = new LogonResult(new SessionToken(0, "temp"), "internal", "internal");
logonResult.addProperty(ILogon.KRB5TOKEN, result.getServiceToken());
logonResult.addProperty(ILogon.KRB5_ESTABLISHED, new Boolean(result.isAuthenticated()));
if (result.isAuthenticated()) {
logonResult.addProperty(GSSCredential.class.getName(), result.getDelegationCredential());
}
return logonResult;
}
// GSS API (jdbc) will make the session in one single call
connProps.setProperty(TeiidURL.CONNECTION.USER_NAME, result.getUserName());
connProps.put(ILogon.KRB5TOKEN, result.getServiceToken());
if (result.getDelegationCredential() != null) {
connProps.put(GSSCredential.class.getName(), result.getDelegationCredential());
}
LogonResult logonResult = logon(connProps);
return logonResult;
}
use of org.teiid.client.security.LogonResult in project teiid by teiid.
the class TestConnection method getMMConnection.
public static ConnectionImpl getMMConnection(String url) {
ServerConnection mock = mock(ServerConnection.class);
DQP dqp = mock(DQP.class);
try {
stub(dqp.start((XidImpl) Mockito.anyObject(), Mockito.anyInt(), Mockito.anyInt())).toAnswer(new Answer() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
return ResultsFuture.NULL_FUTURE;
}
});
stub(dqp.rollback((XidImpl) Mockito.anyObject())).toAnswer(new Answer() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
return ResultsFuture.NULL_FUTURE;
}
});
stub(dqp.rollback()).toAnswer(new Answer() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
return ResultsFuture.NULL_FUTURE;
}
});
} catch (XATransactionException e) {
throw new RuntimeException(e);
}
Properties props = new Properties();
try {
new InnerDriver(url).parseUrl(props);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
stub(mock.getService(DQP.class)).toReturn(dqp);
// $NON-NLS-1$
stub(mock.getLogonResult()).toReturn(new LogonResult(new SessionToken(1, "admin"), STD_DATABASE_NAME, "fake"));
return new ConnectionImpl(mock, props, url);
}
Aggregations