Skip to content
Permalink
Browse files

Make GSS JAAS login optional (#922)

* Add an option for disabling JAAS login

* Add documentation section for new option

* Improve docs wording
  • Loading branch information
sigmaris authored and davecramer committed Jan 4, 2018
1 parent c6fec34 commit d7f0f271b73adbf0ae22146beea122e014d9f9f2
@@ -304,7 +304,15 @@ Connection conn = DriverManager.getConnection(url);

* **jaasApplicationName** = String

Specifies the name of the JAAS system or application login configuration.
Specifies the name of the JAAS system or application login configuration.

* **jaasLogin** = boolean

Specifies whether to perform a JAAS login before authenticating with GSSAPI.
If set to `true` (the default), the driver will attempt to obtain GSS credentials
using the configured JAAS login module(s) (e.g. `Krb5LoginModule`) before
authenticating. To skip the JAAS login, for example if the native GSS
implementation is being used to obtain credentials, set this to `false`.

* **ApplicationName** = String

@@ -304,6 +304,13 @@
*/
APPLICATION_NAME("ApplicationName", DriverInfo.DRIVER_NAME, "Name of the Application (backend >= 9.0)"),

/**
* Flag to enable/disable obtaining a GSS credential via JAAS login before authenticating.
* Useful if setting system property javax.security.auth.useSubjectCredsOnly=false
* or using native GSS with system property sun.security.jgss.native=true
*/
JAAS_LOGIN("jaasLogin", "true", "Login with JAAS before doing GSSAPI authentication"),

/**
* Specifies the name of the JAAS system or application login configuration.
*/
@@ -601,7 +601,8 @@ private void doAuthentication(PGStream pgStream, String host, String user, Prope
/* Use JGSS's GSSAPI for this request */
org.postgresql.gss.MakeGSS.authenticate(pgStream, host, user, password,
PGProperty.JAAS_APPLICATION_NAME.get(info),
PGProperty.KERBEROS_SERVER_NAME.get(info), usespnego);
PGProperty.KERBEROS_SERVER_NAME.get(info), usespnego,
PGProperty.JAAS_LOGIN.getBoolean(info));
}
break;

@@ -880,6 +880,22 @@ public void setJaasApplicationName(String name) {
PGProperty.JAAS_APPLICATION_NAME.set(properties, name);
}

/**
* @return true if perform JAAS login before GSS authentication
* @see PGProperty#JAAS_LOGIN
*/
public boolean getJaasLogin() {
return PGProperty.JAAS_LOGIN.getBoolean(properties);
}

/**
* @param doLogin true if perform JAAS login before GSS authentication
* @see PGProperty#JAAS_LOGIN
*/
public void setJaasLogin(boolean doLogin) {
PGProperty.JAAS_LOGIN.set(properties, doLogin);
}

/**
* @return Kerberos server name
* @see PGProperty#KERBEROS_SERVER_NAME
@@ -29,7 +29,7 @@
private static final Logger LOGGER = Logger.getLogger(MakeGSS.class.getName());

public static void authenticate(PGStream pgStream, String host, String user, String password,
String jaasApplicationName, String kerberosServerName, boolean useSpnego)
String jaasApplicationName, String kerberosServerName, boolean useSpnego, boolean jaasLogin)
throws IOException, SQLException {
LOGGER.log(Level.FINEST, " <=BE AuthenticationReqGSS");

@@ -42,7 +42,7 @@ public static void authenticate(PGStream pgStream, String host, String user, Str

Exception result;
try {
boolean performAuthentication = true;
boolean performAuthentication = jaasLogin;
GSSCredential gssCredential = null;
Subject sub = Subject.getSubject(AccessController.getContext());
if (sub != null) {

0 comments on commit d7f0f27

Please sign in to comment.
You can’t perform that action at this time.