Re: JDBC and GSSAPI/Krb5

[Kris Jurka <books(at)ejurka(dot)com>]

On Thu, 24 Jan 2008, Peter Koczan wrote:

> Hello again, has there been progress on this? As I said before I'm
> willing to be a beta tester for this.

I've hacked together a prototype and can successfully authenticate against 
a gssapi configured server.  It needs a fair amount of cleanup, but there 
are some more fundamental questions about what configuration options we 
need:

1) Do we need a way for the user to uniquely name the application for the 
JAAS LoginContext or can we get away with something generic like pgjdbc? 
The application name is needed for the JAAS login configuration file which 
is needed to enable the krb5 ticket cache.  I'm not sure what else would 
need to be configured or why you might want to do it differently for 
different applications.

2) Do we need to allow the user to configure their own LoginContext 
CallbackHandler to enter a username/password if they don't have an 
existing entry in their ticket cache?  Should we by default just try to 
use the username and password provided in the connection parameters?

3) Do we need a way for the user to specify the server's service name 
(what libpq calls PGKRBSRVNAME)?  I think this is useful if you're running 
two pg servers on the same machine and want to have different rules for 
each one, but I'm not entirely sure about that.

Kris Jurka