Message-ID: <gh-pgjdbc-pgjdbc-3451-c2612304096@github.com>
From: "nrhall (@nrhall)" <noreply+nrhall@github.com>
To: "pgjdbc/pgjdbc" <noreply+pgjdbc-pgjdbc@github.com>
Date: Fri, 24 Jan 2025 11:31:30 +0000
Subject: Re: [pgjdbc/pgjdbc] PR #3451: Support default GSS credentials in the Java Postgres client
In-Reply-To: <gh-pgjdbc-pgjdbc-3451@github.com>
References: <gh-pgjdbc-pgjdbc-3451@github.com>
List-Id: <gh-pgjdbc-pgjdbc.github.com>
X-GitHub-Author-Login: nrhall
X-GitHub-Comment-Id: 2612304096
X-GitHub-Comment-Type: issue_comment
X-GitHub-Issue: 3451
X-GitHub-Repo: pgjdbc/pgjdbc
X-GitHub-Type: comment
X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3451#issuecomment-2612304096
Content-Type: text/plain; charset=utf-8

Some further testing suggests that `jaasLogin=false` on it's own works well if you have a default setup (`user@DEFAULT_REALM` as principal, file-based ccache).  Adding the `gssUseDefaultCreds=true` doesn't change the way that works much - with all defaults, this code will acquire the same creds in each branch of the conditional - either by using the hard-coded principal name and calling `createCredential`, or just setting it to null and letting the Kerberos system libs figure it out:
```
        if (gssUseDefaultCreds) {
          clientCreds = manager.createCredential(GSSCredential.INITIATE_ONLY);
        } else {
          GSSName clientName = manager.createName(principalName, GSSName.NT_USER_NAME);
          clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs,
              GSSCredential.INITIATE_ONLY);
        }
```
Anyway, just thought it was worth mentioning!