Bug 1260621 - RoleBasedCredentialMapIdentityLoginModule throws exception at startup time
RoleBasedCredentialMapIdentityLoginModule throws exception at startup time
Product: JBoss Data Virtualization 6
Classification: JBoss
Component: Teiid (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: GA
: 6.3.0
Assigned To: David Le Sage
Juraj Duráni
: Documentation
Depends On:
  Show dependency treegraph
Reported: 2015-09-07 07:45 EDT by Juraj Duráni
Modified: 2016-08-24 07:36 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
If a data source is configured to use the RoleBasedCredentialMapIdentityLoginModule, then the user will encounter an exception on launching the product. This is because the default username and password are null.
Story Points: ---
Clone Of:
Last Closed: 2016-08-24 07:36:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker TEIID-3684 Major Closed RoleBasedCredentialMapIdentityLoginModule throws exception at startup time 2016-08-09 08:34 EDT

  None (edit)
Description Juraj Duráni 2015-09-07 07:45:40 EDT
Description of problem:

If a data source is configured to use RoleBasedCredentialMapIdentityLoginModule, then exception is thrown at startup [1], because default username and password are null. Please, add module options "username" and "password" to set up default user (similar functionality have e.g. CallerIdentityLoginModule and PassthroughIdentityLoginModule), so DV is able to properly load data source at startup when no user is authenticated and therefore no mapping could be performed.
Example configuration [2]. Note, there is no exception if UsersRoles login module is used instead of RealDirect. However, it means that EAP users are separate from DV users.


    credentialMap module option should be defined as URL (file://...). It would be nice to have this information in the documentation.
    I tried to use unauthenticatedIdentity module option for RealmDirect, but same exception has been thrown with different root cause (realm 'ApplicationRealm' not found). I do not know why.

ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-5) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1084)
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1079)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_40]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1078)
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:600)
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:316)
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:120)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_40]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_40]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_40]


<security-domain name="my-sec">
        <login-module code="RealmDirect" flag="required">
            <module-option name="password-stacking" value="tryFirstPass"/>
            <!--<module-option name="unauthenticatedIdentity" value="guest"/>-->
        <login-module code="org.teiid.jboss.RoleBasedCredentialMapIdentityLoginModule" module="org.jboss.teiid" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="credentialMap" value="file://{$jboss.server.config.dir}/teiid-credentialmap.properties"/>

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:
Comment 1 Van Halbert 2015-12-21 16:37:11 EST
No fixes are being recommended for this, as its being recommended that this login module be deprecated from further use.

At this time, closing this issue as will not fix, unless it becomes a client issue in the future.
Comment 3 JBoss JIRA Server 2016-02-16 12:21:05 EST
Ramesh Reddy <rareddy@jboss.org> updated the status of jira TEIID-3684 to Resolved
Comment 4 Van Halbert 2016-02-16 13:07:32 EST
The use of RoleBasedCredentialMapIdentityLoginModule is being deprecated in DV 6.3, and will be removed in DV 7.
Comment 6 JBoss JIRA Server 2016-08-09 08:34:01 EDT
Steven Hawkins <shawkins@redhat.com> updated the status of jira TEIID-3684 to Closed

Note You need to log in before you can comment on or make changes to this bug.