JBoss.orgCommunity Documentation
The Teiid system provides a range of built-in and extensible security features to enable the secure access of data. For details about how to configure the available security features check out Admin Guide.
LoginModules are an essential part of the JAAS security framework and provide Teiid customizable user authentication and the ability to reuse existing LoginModules defined for JBossAS. Refer to the JBoss Application Server security documentation for information about configuring security in JBoss Application Server, http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html.
JBoss Application Server provides several LoginModules for common authentication needs, such as authenticating from text files or LDAP.
Below are are some of those available in JBoss Application Server:
Login module that uses simple file based authentication.
Login module that uses LDAP based authentication.
Login module that uses Database-based authentication.
Refer to http://community.jboss.org/docs/DOC-9511.
Login module that uses X509 certificate based authentication.
For all the available login modules refer to http://community.jboss.org/docs/DOC-11287.
If your authentication needs go beyond the provided LoginModules, please refer to the JAAS development guide at http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html. There are also numerous guides available.
If you are extending one of the built-in LoginModules, refer to http://community.jboss.org/docs/DOC-9466.
In situations where Teiid's built-in role mechanism is not sufficient, a custom
org.teiid.PolicyDecider can be installed via the <jboss-install>/server/<profile>/deploy/teiid/teiid-jboss-beans.xml configuration file under the "AuthorizationValidator" bean.
Example 8.1. Example Configuration Snippet
<!-- XML : generated by JHighlight v1.0 (http://jhighlight.dev.java.net) --> <span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"><</span><span class="xml_tag_name">bean</span><span class="xml_plain"> </span><span class="xml_attribute_name">name</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"AuthorizationValidator"</span><span class="xml_plain"> </span><span class="xml_attribute_name">class</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"org.teiid.dqp.internal.process.DefaultAuthorizationValidator"</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"><</span><span class="xml_tag_name">property</span><span class="xml_plain"> </span><span class="xml_attribute_name">name</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"enabled"</span><span class="xml_tag_symbols">></span><span class="xml_plain">true</span><span class="xml_tag_symbols"></</span><span class="xml_tag_name">property</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"><</span><span class="xml_tag_name">property</span><span class="xml_plain"> </span><span class="xml_attribute_name">name</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"policyDecider"</span><span class="xml_tag_symbols">><</span><span class="xml_tag_name">inject</span><span class="xml_plain"> </span><span class="xml_attribute_name">bean</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"PolicyDecider"</span><span class="xml_tag_symbols">/></</span><span class="xml_tag_name">property</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"></</span><span class="xml_tag_name">bean</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"><</span><span class="xml_tag_name">bean</span><span class="xml_plain"> </span><span class="xml_attribute_name">name</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"PolicyDecider"</span><span class="xml_plain"> </span><span class="xml_attribute_name">class</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"com.company.CustomPolicyDecider"</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"><</span><span class="xml_tag_name">property</span><span class="xml_plain"> </span><span class="xml_attribute_name">name</span><span class="xml_tag_symbols">=</span><span class="xml_attribute_value">"someProperty"</span><span class="xml_tag_symbols">></span><span class="xml_plain">some value</span><span class="xml_tag_symbols"></</span><span class="xml_tag_name">property</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><span class="xml_tag_symbols"></</span><span class="xml_tag_name">bean</span><span class="xml_tag_symbols">></span><span class="xml_plain"></span><br /> <span class="xml_plain"> </span><br />
Your custom PolicyDecider should be installed in a jar that is made available to the same classloader as Teiid, typically the profile lib directory.
A PolicyDecider may be consulted many times for a single user command, but it is only called to make decisions based upon resources that
appear in user queries. Any further access of resources through views or stored procedures, just as with data roles, is not checked against a PolicyDecider.