Skip site navigation (1) Skip section navigation (2)

Re: JDBC and GSSAPI/Krb5

From: Kris Jurka <books(at)ejurka(dot)com>
To: Peter Koczan <pjkoczan(at)gmail(dot)com>
Cc: "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, pgsql-jdbc(at)postgresql(dot)org
Subject: Re: JDBC and GSSAPI/Krb5
Date: 2008-01-30 08:59:40
Message-ID: Pine.BSO.4.64.0801300334060.641@leary.csoft.net (view raw or flat)
Thread:
Lists: pgsql-jdbc

On Tue, 29 Jan 2008, Peter Koczan wrote:

> Where I work, we can use a simple connection string, devoid of any
> user or password information, to connect via psql or DBD::Pg, and
> Kerberos works its magic to authenticate to the database server
> properly. I wouldn't mind telling people that they need to specify a
> username with JDBC, but this behavior would mimic that of other
> Kerberos/GSSAPI-enabled interfaces. It's possibly something to keep in
> mind, but if it's too much work or not very feasible or
> non-JDBC-compliant, I wouldn't worry about it.

I'll look into that.

> However, I'm having a bit of trouble authenticating with a simple
> program (see below).
>
> Caused by: java.lang.SecurityException: Unable to locate a login configuration
>

The problem is that even though we know we're using GSSAPI backed by 
Kerberos, Java has a generic authentication mechanism that I didn't see a 
way to avoid going through and you've got to configure this generic 
mechanism to tell it you want to use Kerberos.  I've been doing my testing 
via:

java -Djava.security.auth.login.config=login.conf MyGssTest

where login.conf contains:

pgjdbc {
     com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

There are other ways of configuring the login module other than specifying 
it on the command line:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html

Additionally there is a means of providing this configuration in code form 
(which I've yet to test), but that only works on 1.5+ while GSSAPI works 
on 1.4 as well.  Further as you can tell from the above configuration, 
it's specific to the JVM you're running on.  You wouldn't use com.sun.* on 
a non-Sun JVM.  Finally people may want different options enabled in the 
config, so hardcoding this doesn't work from that perspective either:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

So perhaps there are better ways of doing things, but I've never used 
these APIs before this effort, so I'm certainly no expert.  Henry sounds 
like he has some more experience in this area, so hopefully he'll weigh 
in.

In any case there are enough outstanding issues with the need for 
additional configurability that this will not go into the 8.3 release 
(which needs to go out this week).

Kris Jurka

In response to

Responses

pgsql-jdbc by date

Next:From: Kris JurkaDate: 2008-01-30 09:17:23
Subject: Re: Update zh_TW translation po file. (73%)
Previous:From: Kris JurkaDate: 2008-01-30 08:33:41
Subject: Re: 8.3 driver status

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group