Re: PATH: SSL flexibility and documentation - Mailing list pgsql-jdbc

From Chris Smith
Subject Re: PATH: SSL flexibility and documentation
Date
Msg-id 044401c3f697$4d80ff20$6f00000a@KYA
Whole thread Raw
In response to Re: PATH: SSL flexibility and documentation  (Kris Jurka <books@ejurka.com>)
List pgsql-jdbc
Kris Jurka wrote:
> Documentation additions should ideally be to the docbook source in
> the doc subdirectory.

Alright.  I'll keep that in mind for the future.

As far as this patch, you've obviously thought about it and have the same
general idea as I do, so I'll let you take it from here.  I have no vested
interest in this functionality, and I only wrote the patch on the chance that
no one else had gotten around to it and it seemed pretty trivial.

As to your specific comments:

> I was initially thinking about a
> setSSLSocketFactory(Object) for the non-ssl case which would do
> nothing, but allow code that tried to use this ssl option to compile
> and run consistently.  That's not entirely consistent and perhaps
> setSSLSocketFactory should always take an Object parameter and
> conditionally cast it if using SSL.

That's exactly what I had in mind when I said it would be possible but ugly to
achieve both.  Something like:

@SSL@ private javax.net.ssl.SSLSocketFactory factory;

      public static void setSSLSocketFactory(Object factoryObj)
      {
@SSL@     this.factory = (javax.net.ssl.SSLSocketFactory) factoryObj;
      }

So you could still call setSSLSocketFactory even for a driver without SSL
compiled under JDK 1.1; but it wouldn't do anything.  Alternatively, perhaps
it should throw an exception.  I hate the idea of silently failing at
anything.

> One way around this would be to make the API something
> like setSSLSocketFactory(String factoryName, Object factory) and then
> have the url parameter be ?ssl=<factoryName>.

Sounds somewhat reasonable, but it does complicate the interface for the
common case.  If, instead, you had methods either to set the default factory
*or* use named factories, it wouldn't force anyone to figure out an
interaction between some String parameter and a piece of the connection URL.
I doubt most applications make connections to more than one backend anyway.

> This still doesn't
> solve the problem of trying to use something like this in a
> Datasource [...]

Didn't look into that, though I agree we should definitely worry about
DataSource support... especially with Sun floating around comments like "we
expect that DriverManager will be deprecated in a future JDBC release".

> Finally I'd like to take a closer look at the other ssl options that
> are available before I committed to an API that might not support
> them.  I know the server can optionally authenticate the client's
> cert and there are some other undocumented ssl things.

Sure.  There are options on SSLSocket as well that this doesn't provide access
to.  I can't think of a clean way to provide those options, except as yet more
separate parameters on top of this.  I can't imagine asking user code to hand
us back an SSLSocket instance.

--
www.designacourse.com
The Easiest Way to Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation


pgsql-jdbc by date:

Previous
From: Kris Jurka
Date:
Subject: Re: PATH: SSL flexibility and documentation
Next
From: Guido Fiala
Date:
Subject: ResultSetMetaData.isNullable(i) not working?