The Teiid system provides a range of built-in and extensible security features to enable the secure access of data. For details about how to configure the available security features check out Admin Guide.
LoginModules are an essential part of the JAAS security framework and provide Teiid customizable user authentication and the ability to reuse existing LoginModules defined for JBossAS. Refer to the JBoss Application Server security documentation for information about configuring security in JBoss Application Server, http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html.
These need to be verified against JBoss AS 7.x
JBoss Application Server provides several LoginModules for common authentication needs, such as authenticating from text files or LDAP.
Below are are some of those available in JBoss Application Server:
UserRoles LoginModule
Login module that uses simple file based authentication.
Refer to http://community.jboss.org/docs/DOC-12510.
LDAP LoginModule
Login module that uses LDAP based authentication.
Refer to http://community.jboss.org/docs/DOC-11253.
Database LoginModule
Login module that uses Database-based authentication.
Refer to http://community.jboss.org/docs/DOC-9511.
Cert LoginModule
Login module that uses X509 certificate based authentication.
See http://community.jboss.org/docs/DOC-9160.
For all the available login modules refer to http://community.jboss.org/docs/DOC-11287.
If your authentication needs go beyond the provided LoginModules, please refer to the JAAS development guide at http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html. There are also numerous guides available.
If you are extending one of the built-in LoginModules, refer to http://community.jboss.org/docs/DOC-9466.
In situations where Teiid's built-in role mechanism is not sufficient, a custom org.teiid.PolicyDecider can be installed via JBoss module. Extend the org.teiid.PolicyDecider interface and build a custom java class. If you are using maven as your build process, you can use following dependencies
<dependencies>
<dependency>
<groupId>org.jboss.teiid</groupId>
<artifactId>teiid-api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.jboss.teiid</groupId>
<artifactId>teiid-common-core</artifactId>
<scope>provided</scope>
</dependency>
</dependencies>
PoilcyDecider interface is loaded by the Teiid using the Java's standard service loader mechanism. For this to work, add the following named file META-INF/services/org.teiid.PolicyDecider with full name of your PolicyDecider implementation class as its contents.
Now package all these files into a JAR archive file and build JBoss module in jboss-as/modules directory. If your PolicyDecider has any third party dependencies those jar files can also be added as dependencies to the same module. Make sure you list all the files in the module.xml file. Below are Teiid specific dependencies that must be added to module.xml
<dependencies>
<module name="org.jboss.teiid.common-core"/>
<module name="org.jboss.teiid.api"/>
<module name="javax.api"/>
</dependencies>
After the module has been added then configuration needs to be changed before the changes can take effect. Edit either standalone-teiid.xml or domain-teiid.xml file, and in the "teiid" subsystem xml fragment add the following xml with the module name created.
<policy-decider module="module-name"/>
then restart the system. A PolicyDecider may be consulted many times for a single user command, but it is only called to make decisions based upon resources that appear in user queries. Any further access of resources through views or stored procedures, just as with data roles, is not checked against a PolicyDecider.