Re: PATH: SSL flexibility and documentation - Mailing list pgsql-jdbc
From | Chris Smith |
---|---|
Subject | Re: PATH: SSL flexibility and documentation |
Date | |
Msg-id | 044401c3f697$4d80ff20$6f00000a@KYA Whole thread Raw |
In response to | Re: PATH: SSL flexibility and documentation (Kris Jurka <books@ejurka.com>) |
List | pgsql-jdbc |
Kris Jurka wrote: > Documentation additions should ideally be to the docbook source in > the doc subdirectory. Alright. I'll keep that in mind for the future. As far as this patch, you've obviously thought about it and have the same general idea as I do, so I'll let you take it from here. I have no vested interest in this functionality, and I only wrote the patch on the chance that no one else had gotten around to it and it seemed pretty trivial. As to your specific comments: > I was initially thinking about a > setSSLSocketFactory(Object) for the non-ssl case which would do > nothing, but allow code that tried to use this ssl option to compile > and run consistently. That's not entirely consistent and perhaps > setSSLSocketFactory should always take an Object parameter and > conditionally cast it if using SSL. That's exactly what I had in mind when I said it would be possible but ugly to achieve both. Something like: @SSL@ private javax.net.ssl.SSLSocketFactory factory; public static void setSSLSocketFactory(Object factoryObj) { @SSL@ this.factory = (javax.net.ssl.SSLSocketFactory) factoryObj; } So you could still call setSSLSocketFactory even for a driver without SSL compiled under JDK 1.1; but it wouldn't do anything. Alternatively, perhaps it should throw an exception. I hate the idea of silently failing at anything. > One way around this would be to make the API something > like setSSLSocketFactory(String factoryName, Object factory) and then > have the url parameter be ?ssl=<factoryName>. Sounds somewhat reasonable, but it does complicate the interface for the common case. If, instead, you had methods either to set the default factory *or* use named factories, it wouldn't force anyone to figure out an interaction between some String parameter and a piece of the connection URL. I doubt most applications make connections to more than one backend anyway. > This still doesn't > solve the problem of trying to use something like this in a > Datasource [...] Didn't look into that, though I agree we should definitely worry about DataSource support... especially with Sun floating around comments like "we expect that DriverManager will be deprecated in a future JDBC release". > Finally I'd like to take a closer look at the other ssl options that > are available before I committed to an API that might not support > them. I know the server can optionally authenticate the client's > cert and there are some other undocumented ssl things. Sure. There are options on SSLSocket as well that this doesn't provide access to. I can't think of a clean way to provide those options, except as yet more separate parameters on top of this. I can't imagine asking user code to hand us back an SSLSocket instance. -- www.designacourse.com The Easiest Way to Train Anyone... Anywhere. Chris Smith - Lead Software Developer/Technical Trainer MindIQ Corporation
pgsql-jdbc by date: