Re: Support for cert auth in JDBC
| От | Craig Ringer |
|---|---|
| Тема | Re: Support for cert auth in JDBC |
| Дата | |
| Msg-id | 4DD4B187.6080002@postnewspapers.com.au обсуждение исходный текст |
| Ответ на | Re: Support for cert auth in JDBC (Marc-André Laverdière<marc-andre@atc.tcs.com>) |
| Ответы |
Re: Support for cert auth in JDBC
|
| Список | pgsql-jdbc |
On 05/18/2011 03:48 PM, Marc-André Laverdière wrote: > It is true that anyone who knows the right Java APIs can put that > factory together with little pain. I just think that the average user > shouldn't have to bother about it. > > Also, some use cases do not allow to use the default keystore and trust > store for everything. I agree, and I think you're right that the PgJDBC code should have a re-usable class to provide support for these use cases without everyone having to code their own. I've taken your code and re-worked it a bit to: - Use the PgJDBC WrappedFactory rather than re-implementing an effectively identical one; - Separate the basic construction process of the SSLSocketFactory from its configuration, providing an abstract superclass that does the construction via a few simple method calls, so someone who needs different configuration sources/methods can re-use the code; - Provided a concrete subclass of the above that gets its configuration from system properties and uses the superclass methods to construct the factory. This class has the same functionality as what you posted originally plus a few additional configuration options for additional use cases like non-default KeyStore types (pkcs12 etc); and - Added more extensive JavaDoc It's also possible to pass your own KeyStore and/or TrustStore instances directly if your app has to do something funky like manage an in-memory KeyStore. What I haven't done yet is tested it! This is a preview so you can comment on it and tell me if you think I've gone completely off the rails or not. The simplest uses of the code remain as simple as they were with your original version. You just set some system properties and specify SysPropCertAuthFactory as the sslsocketfactory class. More complex use cases become possible without having to re-implement the whole lot - in particular, if you can't fetch your configuration from system properties you can provide alternative mechanisms to look it up without having to re-write all the JSSE crap. So: thanks VERY much for posting this code. My original demos weren't flexible enough to be included in PgJDBC, and by posting this you really helped motivate me to try to turn your code and my original demoes into something that _was_. What do you think? Note that you'll need PgJDBC on your classpath to complile this now, because it uses org.postgresql.ssl.WrappedFactory . -- Craig Ringer
Вложения
В списке pgsql-jdbc по дате отправления: