username@domainname
LoginModules are an essential part of the JAAS security framework and provide Teiid customizable user authentication and the ability to reuse existing LoginModules defined for JBossAS.
Teiid can be configured with multiple named application policies that group together relevant LoginModules. Each of these application policy (or domain) names can be used to fully qualify user names to authenticate only against that domain.
The format for a qualified name is
username@domainname
The security-domain attribute under the transport element in "teiid" subsystem in the <jboss-install>/standalone/configuration/standalone-teiid.xml file is used set the comma separated list of desired domains. For example, in default configuration under "teiid" subsystem you will find
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc">
<ssl mode="login"/>
<authentication security-domain="teiid-security"/>
</transport>
If a user name is not fully qualified, then the installed domains will be consulted in order until a domain successfully or unsuccessfully authenticates the user.
If no domain can authenticate the user, the login attempt will fail. Details of the failed attempt including invalid users, which domains were consulted, etc. will be in the server log with appropriate levels of severity.
The "security-domain" defined for each transport type can be different under Teiid. So, effectively one can configure different transports for JDBC or ODBC or multiple JDBC ports with different security domains
In existing installations an appropriate security domain may already be configured for use by administrative clients (typically for "admin-console"). If the admin connections (CLI and adminshell) are not secured, it is recommended that you secure that interface by executing "add-user.sh" script in the "bin/scripts" directory.
JBossAS provides several LoginModules for common authentication needs, such as authenticating from a Text Based LoginModule or a LDAP Based LoginModule.
You can install multiple login modules as part of single security domain configuration and configure them to be part of the login process. For example, for "teiid-security" domain, you can configure a file based and also LDAP based login modules, and have your user authenticated with either or both login modules. If you want to write your own custom login module, refer to the Developer's Guide for instructions.
The UsersRolesLoginModule utilizes simple text files to authenticate users and to define their groups. The below XML fragment under "security" subsystem shows a Text based login module.
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="teiid-security-users.properties"/>
<module-option name="rolesProperties" value="teiid-security-roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
The UsersRolesLoginModule is not recommended for production use and is strongly recommended that you replace this login module.
User names and passwords are stored in the <jboss-as>/standalone/configuration/teiid-security-users.properties file.
# A users.properties file for use with the UsersRolesLoginModule # username=password fred=password george=password ...
JAAS role assignments are stored in the <jboss-as>/standalone/configuration/teiid-security-roles.properties file.
# A roles.properties file for use with the UsersRolesLoginModule # username=role1,role2,... data_role_1=fred,sally data_role_2=george
User and role names are entirely up to the needs of the given deployment. For example each application team can set their own security constraints for their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g. app_role_1=user1,user2,user3.
Teiid data roles names are independent of JAAS roles. VDB creators can choose whatever name they want for their data roles, which are then mapped at deployment time to JAAS roles.
See LDAP LoginModule configuration for the AS community guide. The following are streamlined installation instructions.
Configure LDAP authentication by editing standalone-teiid.xml under "security" sub system. Once the security-domain is defined, then edit the "security-domain" attribute for Teiid's "transport" for which you want use this LDAP login.
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="ldap_security_domain">
<authentication>
<login-module code="LdapExtended" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.provider.url" value="ldap://mydomain.org:389" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="bindDN" value="myuser" />
<module-option name="bindCredential" value="mypasswd" />
<module-option name="baseCtxDN" value="ou=People,dc=XXXX,dc=ca" />
<module-option name="baseFilter" value="(cn={0})" />
<module-option name="rolesCtxDN" value="ou=Webapp-Roles,ou=Groups,dc=XXXX,dc=ca" />
<module-option name="roleFilter" value=(member={1}) " />
<module-option name="uidAttributeID" value="member" />
<module-option name="roleAttributeID" value="cn" />
<module-option name="roleAttributeIsDN" value="true" />
<module-option name="roleNameAttributeID" value="cn" />
<module-option name="roleRecursion" value="-1" />
<module-option name="searchScope" value="ONELEVEL_SCOPE" />
<module-option name="allowEmptyPasswords" value="false" />
<module-option name="throwValidateError" value="true" />
</login-module>
<login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">
<module-option name="rolesProperties" value="${jboss-install}/standalone/configuration/roles.properties" />
<module-option name="replaceRole" value="false" />
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
If using SSL to the LDAP server, ensure that the Corporate CA Certificate is added to the JRE trust store.
Consult the PostgreSQL ODBC client documentation.