Re: JDBC and GSSAPI/Krb5
От | Kris Jurka |
---|---|
Тема | Re: JDBC and GSSAPI/Krb5 |
Дата | |
Msg-id | Pine.BSO.4.64.0801300334060.641@leary.csoft.net обсуждение исходный текст |
Ответ на | Re: JDBC and GSSAPI/Krb5 ("Peter Koczan" <pjkoczan@gmail.com>) |
Ответы |
Re: JDBC and GSSAPI/Krb5
("Henry B. Hotz" <hotz@jpl.nasa.gov>)
|
Список | pgsql-jdbc |
On Tue, 29 Jan 2008, Peter Koczan wrote: > Where I work, we can use a simple connection string, devoid of any > user or password information, to connect via psql or DBD::Pg, and > Kerberos works its magic to authenticate to the database server > properly. I wouldn't mind telling people that they need to specify a > username with JDBC, but this behavior would mimic that of other > Kerberos/GSSAPI-enabled interfaces. It's possibly something to keep in > mind, but if it's too much work or not very feasible or > non-JDBC-compliant, I wouldn't worry about it. I'll look into that. > However, I'm having a bit of trouble authenticating with a simple > program (see below). > > Caused by: java.lang.SecurityException: Unable to locate a login configuration > The problem is that even though we know we're using GSSAPI backed by Kerberos, Java has a generic authentication mechanism that I didn't see a way to avoid going through and you've got to configure this generic mechanism to tell it you want to use Kerberos. I've been doing my testing via: java -Djava.security.auth.login.config=login.conf MyGssTest where login.conf contains: pgjdbc { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; }; There are other ways of configuring the login module other than specifying it on the command line: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html Additionally there is a means of providing this configuration in code form (which I've yet to test), but that only works on 1.5+ while GSSAPI works on 1.4 as well. Further as you can tell from the above configuration, it's specific to the JVM you're running on. You wouldn't use com.sun.* on a non-Sun JVM. Finally people may want different options enabled in the config, so hardcoding this doesn't work from that perspective either: http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html So perhaps there are better ways of doing things, but I've never used these APIs before this effort, so I'm certainly no expert. Henry sounds like he has some more experience in this area, so hopefully he'll weigh in. In any case there are enough outstanding issues with the need for additional configurability that this will not go into the 8.3 release (which needs to go out this week). Kris Jurka
В списке pgsql-jdbc по дате отправления: