Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Header And Logo
|
Site Navigation
Re: JDBC and GSSAPI/Krb5
- From: Kris Jurka <books(at)ejurka(dot)com>
- To: Peter Koczan <pjkoczan(at)gmail(dot)com>
- Cc: "Henry B. Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, pgsql-jdbc(at)postgresql(dot)org
- Subject: Re: JDBC and GSSAPI/Krb5
- Date: Wed, 30 Jan 2008 03:59:40 -0500 (EST)
On Tue, 29 Jan 2008, Peter Koczan wrote:
Where I work, we can use a simple connection string, devoid of any user or password information, to connect via psql or DBD::Pg, and Kerberos works its magic to authenticate to the database server properly. I wouldn't mind telling people that they need to specify a username with JDBC, but this behavior would mimic that of other Kerberos/GSSAPI-enabled interfaces. It's possibly something to keep in mind, but if it's too much work or not very feasible or non-JDBC-compliant, I wouldn't worry about it.
I'll look into that.
However, I'm having a bit of trouble authenticating with a simple program (see below). Caused by: java.lang.SecurityException: Unable to locate a login configuration
The problem is that even though we know we're using GSSAPI backed by Kerberos, Java has a generic authentication mechanism that I didn't see a way to avoid going through and you've got to configure this generic mechanism to tell it you want to use Kerberos. I've been doing my testing via:
java -Djava.security.auth.login.config=login.conf MyGssTest
where login.conf contains:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};
There are other ways of configuring the login module other than specifying
it on the command line:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.htmlAdditionally there is a means of providing this configuration in code form (which I've yet to test), but that only works on 1.5+ while GSSAPI works on 1.4 as well. Further as you can tell from the above configuration, it's specific to the JVM you're running on. You wouldn't use com.sun.* on a non-Sun JVM. Finally people may want different options enabled in the config, so hardcoding this doesn't work from that perspective either:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.htmlSo perhaps there are better ways of doing things, but I've never used these APIs before this effort, so I'm certainly no expert. Henry sounds like he has some more experience in this area, so hopefully he'll weigh in.
In any case there are enough outstanding issues with the need for additional configurability that this will not go into the 8.3 release (which needs to go out this week).
Kris Jurka
- Follow-Ups:
- Re: JDBC and GSSAPI/Krb5
- From: Henry B. Hotz
- Re: JDBC and GSSAPI/Krb5
- References:
- Re: JDBC and GSSAPI/Krb5
- From: Peter Koczan
- Re: JDBC and GSSAPI/Krb5
- From: Kris Jurka
- Re: JDBC and GSSAPI/Krb5
- From: Henry B. Hotz
- Re: JDBC and GSSAPI/Krb5
- From: Kris Jurka
- Re: JDBC and GSSAPI/Krb5
- From: Peter Koczan
- Re: JDBC and GSSAPI/Krb5
- Prev by Date: Re: 8.3 driver status
- Next by Date: Re: Update zh_TW translation po file. (73%)
- Previous by thread: Re: JDBC and GSSAPI/Krb5
- Next by thread: Re: JDBC and GSSAPI/Krb5
- Indexes: