Search in sources :

Example 6 with LogonResult

use of org.teiid.client.security.LogonResult in project teiid by teiid.

the class GssAction method authenticate.

public static LogonResult authenticate(ILogon logon, Properties props) throws LogonException, TeiidComponentException, CommunicationException {
    if (logger.isLoggable(Level.FINE)) {
        // $NON-NLS-1$
        logger.fine("GSS Authentication Request");
    }
    Object result = null;
    StringBuilder errors = new StringBuilder();
    String jaasApplicationName = props.getProperty(TeiidURL.CONNECTION.JAAS_NAME);
    // $NON-NLS-1$
    String nl = System.getProperty("line.separator");
    if (jaasApplicationName == null) {
        // $NON-NLS-1$
        jaasApplicationName = "Teiid";
    }
    String kerberosPrincipalName = props.getProperty(TeiidURL.CONNECTION.KERBEROS_SERVICE_PRINCIPLE_NAME);
    if (kerberosPrincipalName == null) {
        try {
            TeiidURL url = new TeiidURL(props.getProperty(TeiidURL.CONNECTION.SERVER_URL));
            // $NON-NLS-1$
            kerberosPrincipalName = "TEIID/" + url.getHostInfo().get(0).getHostName();
        } catch (Exception e) {
        // Ignore exception
        }
        if (kerberosPrincipalName == null) {
            // $NON-NLS-1$
            errors.append(JDBCPlugin.Util.getString("client_prop_missing", TeiidURL.CONNECTION.KERBEROS_SERVICE_PRINCIPLE_NAME));
            errors.append(nl);
        }
    }
    // $NON-NLS-1$
    String krb5 = System.getProperty("java.security.krb5.conf");
    // $NON-NLS-1$
    String realm = System.getProperty("java.security.krb5.realm");
    // $NON-NLS-1$
    String kdc = System.getProperty("java.security.krb5.kdc");
    if (krb5 == null && realm == null && kdc == null) {
        // $NON-NLS-1$
        errors.append(JDBCPlugin.Util.getString("no_gss_selection"));
        errors.append(nl);
    } else if (krb5 != null && (realm != null || kdc != null)) {
        // $NON-NLS-1$
        errors.append(JDBCPlugin.Util.getString("ambigious_gss_selection"));
        errors.append(nl);
    } else if ((realm != null && kdc == null) || (realm == null && kdc != null)) {
        // krb5 is null here..
        if (realm == null) {
            // $NON-NLS-1$ //$NON-NLS-2$
            errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.krb5.realm"));
            errors.append(nl);
        }
        if (kdc == null) {
            // $NON-NLS-1$ //$NON-NLS-2$
            errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.krb5.kdc"));
            errors.append(nl);
        }
    }
    // $NON-NLS-1$
    String config = System.getProperty("java.security.auth.login.config");
    if (config == null) {
        // $NON-NLS-1$ //$NON-NLS-2$
        errors.append(JDBCPlugin.Util.getString("system_prop_missing", "java.security.auth.login.config"));
        errors.append(nl);
    }
    try {
        String user = props.getProperty(TeiidURL.CONNECTION.USER_NAME);
        String password = props.getProperty(TeiidURL.CONNECTION.PASSWORD);
        boolean performAuthentication = true;
        GSSCredential gssCredential = null;
        Subject sub = Subject.getSubject(AccessController.getContext());
        if (sub != null) {
            Set<GSSCredential> gssCreds = sub.getPrivateCredentials(GSSCredential.class);
            if (gssCreds != null && gssCreds.size() > 0) {
                gssCredential = gssCreds.iterator().next();
                performAuthentication = false;
                if (logger.isLoggable(Level.FINE)) {
                    // $NON-NLS-1$
                    logger.fine("GSS Authentication using delegated credential");
                }
            } else {
                if (logger.isLoggable(Level.FINE)) {
                    // $NON-NLS-1$
                    logger.fine("No delegation credential found in the subject");
                }
            }
        }
        if (performAuthentication) {
            if (errors.length() > 0) {
                throw new LogonException(JDBCPlugin.Event.TEIID20005, errors.toString());
            }
            LoginContext lc = new LoginContext(jaasApplicationName, new GSSCallbackHandler(user, password));
            lc.login();
            sub = lc.getSubject();
        }
        PrivilegedAction action = new GssAction(logon, kerberosPrincipalName, props, user, gssCredential);
        result = Subject.doAs(sub, action);
    } catch (Exception e) {
        throw new LogonException(JDBCPlugin.Event.TEIID20005, e, JDBCPlugin.Util.gs(JDBCPlugin.Event.TEIID20005));
    }
    if (result instanceof LogonException) {
        throw (LogonException) result;
    } else if (result instanceof TeiidComponentException) {
        throw (TeiidComponentException) result;
    } else if (result instanceof CommunicationException) {
        throw (CommunicationException) result;
    } else if (result instanceof Exception) {
        throw new LogonException(JDBCPlugin.Event.TEIID20005, (Exception) result, JDBCPlugin.Util.gs(JDBCPlugin.Event.TEIID20005));
    }
    return (LogonResult) result;
}
Also used : CommunicationException(org.teiid.net.CommunicationException) TeiidURL(org.teiid.net.TeiidURL) LogonResult(org.teiid.client.security.LogonResult) TeiidComponentException(org.teiid.core.TeiidComponentException) CommunicationException(org.teiid.net.CommunicationException) LogonException(org.teiid.client.security.LogonException) TeiidSQLException(org.teiid.jdbc.TeiidSQLException) Subject(javax.security.auth.Subject) LoginContext(javax.security.auth.login.LoginContext) PrivilegedAction(java.security.PrivilegedAction) LogonException(org.teiid.client.security.LogonException) TeiidComponentException(org.teiid.core.TeiidComponentException)

Example 7 with LogonResult

use of org.teiid.client.security.LogonResult in project teiid by teiid.

the class LogonImpl method logon.

private LogonResult logon(Properties connProps, byte[] krb5ServiceTicket, AuthenticationType authType, String user) throws LogonException {
    String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
    String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
    String applicationName = connProps.getProperty(TeiidURL.CONNECTION.APP_NAME);
    String password = connProps.getProperty(TeiidURL.CONNECTION.PASSWORD);
    Credentials credential = null;
    if (password != null) {
        credential = new Credentials(password.toCharArray());
    }
    try {
        SessionMetadata sessionInfo = service.createSession(vdbName, vdbVersion, authType, user, credential, applicationName, connProps);
        if (connProps.get(GSSCredential.class.getName()) != null) {
            addCredentials(sessionInfo.getSubject(), (GSSCredential) connProps.get(GSSCredential.class.getName()));
        }
        updateDQPContext(sessionInfo);
        if (DQPWorkContext.getWorkContext().getClientAddress() == null) {
            sessionInfo.setEmbedded(true);
        }
        // if (oldSessionId != null) {
        // TODO: we should be smarter about disassociating the old sessions from the client.  we'll just rely on
        // ping based clean up
        // }
        LogonResult result = new LogonResult(sessionInfo.getSessionToken(), sessionInfo.getVDBName(), clusterName);
        if (krb5ServiceTicket != null) {
            result.addProperty(ILogon.KRB5TOKEN, krb5ServiceTicket);
        }
        return result;
    } catch (LoginException e) {
        throw new LogonException(e);
    } catch (SessionServiceException e) {
        throw new LogonException(e);
    }
}
Also used : GSSCredential(org.ietf.jgss.GSSCredential) SessionMetadata(org.teiid.adminapi.impl.SessionMetadata) LogonException(org.teiid.client.security.LogonException) LogonResult(org.teiid.client.security.LogonResult) LoginException(javax.security.auth.login.LoginException) Credentials(org.teiid.security.Credentials) SessionServiceException(org.teiid.dqp.service.SessionServiceException)

Example 8 with LogonResult

use of org.teiid.client.security.LogonResult in project teiid by teiid.

the class LogonImpl method logon.

public LogonResult logon(Properties connProps) throws LogonException {
    String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
    String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
    String user = connProps.getProperty(TeiidURL.CONNECTION.USER_NAME, CoreConstants.DEFAULT_ANON_USERNAME);
    boolean onlyAllowPassthrough = Boolean.valueOf(connProps.getProperty(TeiidURL.CONNECTION.PASSTHROUGH_AUTHENTICATION, // $NON-NLS-1$
    "false"));
    AuthenticationType authType = AuthenticationType.USERPASSWORD;
    if (!onlyAllowPassthrough) {
        authType = this.service.getAuthenticationType(vdbName, vdbVersion, user);
    }
    // the presence of the KRB5 token take as GSS based login.
    if (connProps.get(ILogon.KRB5TOKEN) != null) {
        if (authType == AuthenticationType.GSS) {
            Object previous = null;
            boolean assosiated = false;
            SecurityHelper securityHelper = service.getSecurityHelper();
            try {
                byte[] krb5Token = (byte[]) connProps.get(ILogon.KRB5TOKEN);
                Object securityContext = this.gssServiceTickets.remove(Base64.encodeBytes(MD5(krb5Token)));
                if (securityContext == null) {
                    throw new LogonException(RuntimePlugin.Event.TEIID40054, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40054));
                }
                previous = securityHelper.associateSecurityContext(securityContext);
                assosiated = true;
                return logon(connProps, krb5Token, AuthenticationType.GSS, user);
            } finally {
                if (assosiated) {
                    securityHelper.associateSecurityContext(previous);
                }
            }
        } else {
        // shouldn't really get here, but we'll try user name password anyway
        }
    } else if (authType == AuthenticationType.GSS) {
        Version v = DQPWorkContext.getWorkContext().getClientVersion();
        // send a login result with a GSS challange
        if (v.compareTo(Version.EIGHT_7) >= 0) {
            LogonResult result = new LogonResult();
            result.addProperty(ILogon.AUTH_TYPE, authType);
            return result;
        }
        // throw an exception
        throw new LogonException(RuntimePlugin.Event.TEIID40149, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40149));
    }
    if (!AuthenticationType.USERPASSWORD.equals(authType)) {
        throw new LogonException(RuntimePlugin.Event.TEIID40055, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40055, authType));
    }
    return logon(connProps, null, AuthenticationType.USERPASSWORD, user);
}
Also used : Version(org.teiid.dqp.internal.process.DQPWorkContext.Version) LogonException(org.teiid.client.security.LogonException) LogonResult(org.teiid.client.security.LogonResult) AuthenticationType(org.teiid.net.socket.AuthenticationType) SecurityHelper(org.teiid.security.SecurityHelper)

Example 9 with LogonResult

use of org.teiid.client.security.LogonResult in project teiid by teiid.

the class LogonImpl method neogitiateGssLogin.

@Override
public LogonResult neogitiateGssLogin(Properties connProps, byte[] serviceTicket, boolean createSession) throws LogonException {
    String vdbName = connProps.getProperty(BaseDataSource.VDB_NAME);
    String vdbVersion = connProps.getProperty(BaseDataSource.VDB_VERSION);
    String user = connProps.getProperty(BaseDataSource.USER_NAME);
    AuthenticationType authType = this.service.getAuthenticationType(vdbName, vdbVersion, user);
    if (!AuthenticationType.GSS.equals(authType)) {
        // $NON-NLS-1$
        throw new LogonException(RuntimePlugin.Event.TEIID40055, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40055, "Kerberos"));
    }
    // Using SPENGO security domain establish a token and subject.
    GSSResult result = neogitiateGssLogin(serviceTicket, vdbName, vdbVersion, user);
    if (!result.isAuthenticated() || !createSession) {
        // $NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
        LogonResult logonResult = new LogonResult(new SessionToken(0, "temp"), "internal", "internal");
        logonResult.addProperty(ILogon.KRB5TOKEN, result.getServiceToken());
        logonResult.addProperty(ILogon.KRB5_ESTABLISHED, new Boolean(result.isAuthenticated()));
        if (result.isAuthenticated()) {
            logonResult.addProperty(GSSCredential.class.getName(), result.getDelegationCredential());
        }
        return logonResult;
    }
    // GSS API (jdbc) will make the session in one single call
    connProps.setProperty(TeiidURL.CONNECTION.USER_NAME, result.getUserName());
    connProps.put(ILogon.KRB5TOKEN, result.getServiceToken());
    if (result.getDelegationCredential() != null) {
        connProps.put(GSSCredential.class.getName(), result.getDelegationCredential());
    }
    LogonResult logonResult = logon(connProps);
    return logonResult;
}
Also used : GSSResult(org.teiid.security.GSSResult) SessionToken(org.teiid.client.security.SessionToken) GSSCredential(org.ietf.jgss.GSSCredential) LogonException(org.teiid.client.security.LogonException) LogonResult(org.teiid.client.security.LogonResult) AuthenticationType(org.teiid.net.socket.AuthenticationType)

Example 10 with LogonResult

use of org.teiid.client.security.LogonResult in project teiid by teiid.

the class TestConnection method getMMConnection.

public static ConnectionImpl getMMConnection(String url) {
    ServerConnection mock = mock(ServerConnection.class);
    DQP dqp = mock(DQP.class);
    try {
        stub(dqp.start((XidImpl) Mockito.anyObject(), Mockito.anyInt(), Mockito.anyInt())).toAnswer(new Answer() {

            @Override
            public Object answer(InvocationOnMock invocation) throws Throwable {
                return ResultsFuture.NULL_FUTURE;
            }
        });
        stub(dqp.rollback((XidImpl) Mockito.anyObject())).toAnswer(new Answer() {

            @Override
            public Object answer(InvocationOnMock invocation) throws Throwable {
                return ResultsFuture.NULL_FUTURE;
            }
        });
        stub(dqp.rollback()).toAnswer(new Answer() {

            @Override
            public Object answer(InvocationOnMock invocation) throws Throwable {
                return ResultsFuture.NULL_FUTURE;
            }
        });
    } catch (XATransactionException e) {
        throw new RuntimeException(e);
    }
    Properties props = new Properties();
    try {
        new InnerDriver(url).parseUrl(props);
    } catch (SQLException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    stub(mock.getService(DQP.class)).toReturn(dqp);
    // $NON-NLS-1$
    stub(mock.getLogonResult()).toReturn(new LogonResult(new SessionToken(1, "admin"), STD_DATABASE_NAME, "fake"));
    return new ConnectionImpl(mock, props, url);
}
Also used : DQP(org.teiid.client.DQP) SQLException(java.sql.SQLException) SessionToken(org.teiid.client.security.SessionToken) LogonResult(org.teiid.client.security.LogonResult) ServerConnection(org.teiid.net.ServerConnection) XATransactionException(org.teiid.client.xa.XATransactionException) Properties(java.util.Properties) Answer(org.mockito.stubbing.Answer) InvocationOnMock(org.mockito.invocation.InvocationOnMock)

Aggregations

LogonResult (org.teiid.client.security.LogonResult)15 LogonException (org.teiid.client.security.LogonException)9 Properties (java.util.Properties)7 Test (org.junit.Test)5 SessionToken (org.teiid.client.security.SessionToken)5 TeiidComponentException (org.teiid.core.TeiidComponentException)4 ServerConnection (org.teiid.net.ServerConnection)4 Subject (javax.security.auth.Subject)3 DQP (org.teiid.client.DQP)3 ResultsFuture (org.teiid.client.util.ResultsFuture)3 DQPWorkContext (org.teiid.dqp.internal.process.DQPWorkContext)3 CommunicationException (org.teiid.net.CommunicationException)3 GSSCredential (org.ietf.jgss.GSSCredential)2 InvocationOnMock (org.mockito.invocation.InvocationOnMock)2 SessionMetadata (org.teiid.adminapi.impl.SessionMetadata)2 VDBMetaData (org.teiid.adminapi.impl.VDBMetaData)2 InvalidSessionException (org.teiid.client.security.InvalidSessionException)2 VDBRepository (org.teiid.deployers.VDBRepository)2 SessionService (org.teiid.dqp.service.SessionService)2 TeiidSQLException (org.teiid.jdbc.TeiidSQLException)2