Message-ID: From: "nrhall (@nrhall)" To: "pgjdbc/pgjdbc" Date: Fri, 24 Jan 2025 11:18:32 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #3451: Support default GSS credentials in the Java Postgres client In-Reply-To: References: List-Id: X-GitHub-Author-Login: nrhall X-GitHub-Comment-Id: 2612280860 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3451 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3451#issuecomment-2612280860 Content-Type: text/plain; charset=utf-8 Java's support for Kerberos has always been...strained, not helped by enterprise vendors offering Kerberos support with clearly no understanding on how it really works. JAAS in the JVM itself is one of the worst - all the docs make it sound like you basically have to use a keytab, and the set of options to just make it use the local ccache without any other magic are pretty baffling to a new user. Enabling 'native' JGSS support in the JVM doesn't work for credential acquisition via JAAS on Linux (yet does on Mac/Windows) - so if you really need the system libraries/config to be used (e.g. to support KCM), you can't. And nearly everything uses JAAS... :( We have a corporate Kerberos environment where we ensure that users always have the right TGT/credentials wherever they need them - we nearly never want a user to obtain a fresh set of credentials from somewhere, because that's almost certainly not what they want. That all said - I should say that pgjdbc was already good in that it supported a lot of the right things - e.g. auto mode for SSPI, and more straightforward Linux MIT/Heimdal setups probably just work out the box with a file based ccache and `jaasLogin=false`. The extension here just means more esoteric setups work better. It's possible that with a little more work a sensible `auto` mode could work on Linux too - e.g. it's actually possible that making the changes in this PR the default behaviour might actually work for nearly all cases where you've set `jaasLogin=false`. It would also be nice to not need to set `jaasLogin=false` so that you need no arguments for integrated GSSAPI based logins to work but I'm not sure if there are other gotchas there.