Re: JDBC and GSSAPI/Krb5

From: Kris Jurka <books(at)ejurka(dot)com>
To: Peter Koczan <pjkoczan(at)gmail(dot)com>
Cc: "Henry B(dot) Hotz" <hotz(at)jpl(dot)nasa(dot)gov>, pgsql-jdbc(at)postgresql(dot)org
Subject: Re: JDBC and GSSAPI/Krb5
Date: 2008-01-30 08:59:40
Message-ID: Pine.BSO.4.64.0801300334060.641@leary.csoft.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

On Tue, 29 Jan 2008, Peter Koczan wrote:

> Where I work, we can use a simple connection string, devoid of any
> user or password information, to connect via psql or DBD::Pg, and
> Kerberos works its magic to authenticate to the database server
> properly. I wouldn't mind telling people that they need to specify a
> username with JDBC, but this behavior would mimic that of other
> Kerberos/GSSAPI-enabled interfaces. It's possibly something to keep in
> mind, but if it's too much work or not very feasible or
> non-JDBC-compliant, I wouldn't worry about it.

I'll look into that.

> However, I'm having a bit of trouble authenticating with a simple
> program (see below).
>
> Caused by: java.lang.SecurityException: Unable to locate a login configuration
>

The problem is that even though we know we're using GSSAPI backed by
Kerberos, Java has a generic authentication mechanism that I didn't see a
way to avoid going through and you've got to configure this generic
mechanism to tell it you want to use Kerberos. I've been doing my testing
via:

java -Djava.security.auth.login.config=login.conf MyGssTest

where login.conf contains:

pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
};

There are other ways of configuring the login module other than specifying
it on the command line:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html

Additionally there is a means of providing this configuration in code form
(which I've yet to test), but that only works on 1.5+ while GSSAPI works
on 1.4 as well. Further as you can tell from the above configuration,
it's specific to the JVM you're running on. You wouldn't use com.sun.* on
a non-Sun JVM. Finally people may want different options enabled in the
config, so hardcoding this doesn't work from that perspective either:

http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

So perhaps there are better ways of doing things, but I've never used
these APIs before this effort, so I'm certainly no expert. Henry sounds
like he has some more experience in this area, so hopefully he'll weigh
in.

In any case there are enough outstanding issues with the need for
additional configurability that this will not go into the 8.3 release
(which needs to go out this week).

Kris Jurka

In response to

Responses

Browse pgsql-jdbc by date

  From Date Subject
Next Message Kris Jurka 2008-01-30 09:17:23 Re: Update zh_TW translation po file. (73%)
Previous Message Kris Jurka 2008-01-30 08:33:41 Re: 8.3 driver status