Re: Java .pgpass reader

Dnia środa 16 czerwiec 2010 o 20:07:12 Scott Langley napisał(a):
> Did anyone ever implement code in Java to read Postgres configuration
> information from a user's .pgpass file - or a more general
> pg_service.conf - as discussed in this thread back in 2006?
.pgpass - could be a little usefull for desktop JDBC application, and almost
useless for server applications (and pgpass was created, as i think, to
provide password for server jobs - CRON etc.)

pg_service.conf - i think, this is much more interesting, but only for desktop
applications; server applications generally connect to database through
WEB/EJB/WS + J2EE and J2EE servers supports much more advanced way of name
mapping - e.g. the driver could search such file on network share or in user
shared folder. :)
Implementation of this should be turned off by default, as it could decrease
security of servers.

> My organization uses .pgpass files to securely store and read user's
> passwords when user run applications in Perl and Python but currently
> not for Java.
Hmm... I will disagre.

Storing password in any not-full-user-controled file (or not in wallet type
files) is never secure, because hacker at 90% can retrive orginal password (if
it's not encrypted with user provided password), or at least can reproduce
chain of activities to login to database. In theory the beter way is to use
user-in-mind password (but depends who uses application), and use any type of
SSO / e-wallets / Active Directory auto login, etc. Ofcourse it's sometimes
depends on particular needs.

Giving a user password to DB is much more unsecure just because it is - user
can see data that it should not see, or perform other bad tasks. (deleting,
updating, granting).

But... generally i vote for yes. This could be helpfull for some fast and
simple applications.