Removed unsafe package and native kerberos ticket check #2363
Conversation
|
|
||
| public class KerberosTicket { | ||
|
|
||
| private static final String CONFIG_ITEM_NAME = "pgjdbc"; |
There was a problem hiding this comment.
Should this be set to something unique (i.e. not clash with the pgjdbc actual login config name)?
There was a problem hiding this comment.
Well we are going to use it here
to make the actual connection. So it seems appropriate to have the same name. I agree we could get away with just checking for the cache, but since we are going to the trouble, we might as well make sure it is going to workThere was a problem hiding this comment.
That's fine, but wanted to note it's a departure of how it used to work before.
There was a problem hiding this comment.
Ya, I am aware. Which is why I wanted someone else to look over it for sanity. I have to admit to being a bit in the dark so looking for advice from an expert.
There was a problem hiding this comment.
I'm not an expert in this area unfortunately, btw.
There was a problem hiding this comment.
hmmm... trial by fire then..
| if ( entries == null ) { | ||
| jaasApplicationName = PGProperty.JAAS_APPLICATION_NAME.getDefaultValue(); | ||
| Configuration.setConfiguration(new CustomKrbConfig()); | ||
| } else { | ||
| Configuration.setConfiguration(new CustomKrbConfig()); | ||
| } |
There was a problem hiding this comment.
This looks strange. In either case your are setting CustomKrbConfig which only knows about pgjdbc. If somebody sets the jaas.config to, say, foo, then it still handles only pgjdbc. It won't see/use foo. It's unclear what the intent is. If the intent is to only use foo if the config is set (also for the creds-cache-lookup), then this isn't doing it. I think in that case it would fail, since foo is attempted to be looked up, but only pgjdbc will be set.
Since the previous version of this code doesn't do anything with the specified JAAS config, I wonder why do it now?
Shouldn't it be doing something like this (set the login config for the cache check to something other than pgjdbc as it's really doing something else: check the ticket cache, not try to login)?
Configration oldConfig = Configuration.getConfiguration();
Configuration.setConfiguration(new CustomKrbConfig());
lc = new LoginContext("krbTicketCacheCheck", new CallbackHandler() { ....
lc.login();
...
Subject sub = lc.getSubject();
boolean result = sub != null;
Configuration.setConfiguration(oldConfig);
return result;
|
@jerboaa FYI, this doesn't actually work since it won't find the default principal. Still working on it. |
Still not sure what to do with the configuration. Currently we think the name is pgjdbc for the service. This should probably be consistent