New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gssapi: reuse existing Subject and GssCredentials #201

Merged
merged 1 commit into from Dec 1, 2014

Conversation

Projects
None yet
2 participants
@simkam
Contributor

simkam commented Oct 8, 2014

proposed fix for #200

when Subject exists in AccessControllerContext and contains GssCredential, GssCredential are reused

@simkam simkam changed the title from GSS: reuse existing Subject and GssCredentials to gssapi: reuse existing Subject and GssCredentials Oct 8, 2014

@ringerc

This comment has been minimized.

Member

ringerc commented Dec 1, 2014

I don't use GSS myself, but this looks like a reasonable change to make, and one that should be harmless for existing users, as it'll fall back to the current codepath in any circumstance that would currently work without throwing an exception.

ringerc added a commit that referenced this pull request Dec 1, 2014

Merge pull request #201 from simkam/eap_krb_2
gssapi: Re-use existing Subject and GssCredentials

The current implementation of `MakeGSS.java` always calls JAAS directly. In managed environments like application servers an upper level layer can handle authentication and then call `Driver.connect`. PgJDBC may not have access to the raw GSS credentials, or may be requiring the user to unnecessarily repeat them when the upper layers already have this information.

Allow PgJDBC to query the `AccessControllerContext` for GSS credentials and, if found, use existing credentials. If no `AccessControllerContext` exists, proceed as before, acquiring credentials directly.

@ringerc ringerc merged commit b0e3b6d into pgjdbc:master Dec 1, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@ringerc

This comment has been minimized.

Member

ringerc commented Dec 1, 2014

Actually, on second thought I'm a little concerned about what happens when there's an AccessControllerContext, but it doesn't have GSS credentials configured, and the user is currently using PgJDBC's own credentials acquisition. Have you tested this case?

@ringerc ringerc added the enhancement label Dec 1, 2014

@simkam

This comment has been minimized.

Contributor

simkam commented Dec 1, 2014

No, I haven't tested this scenario, but it would throw PSQLException: GSS No valid credentials in subject. If backward compatibility is concern in this case, it can be changed to fall back to old code.

@ringerc

This comment has been minimized.

Member

ringerc commented Dec 1, 2014

I think that would be preferable. Would you mind sending a follow-up PR?

@simkam

This comment has been minimized.

Contributor

simkam commented Dec 1, 2014

sure, I'll send it later today/tomorrow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment