Re: Support for cert auth in JDBC - Mailing list pgsql-jdbc

From Craig Ringer
Subject Re: Support for cert auth in JDBC
Date
Msg-id 4DDC5DED.7010903@postnewspapers.com.au
Whole thread Raw
In response to Re: Support for cert auth in JDBC  (Kris Jurka <books@ejurka.com>)
Responses Re: Support for cert auth in JDBC
List pgsql-jdbc
On 25/05/11 00:27, Kris Jurka wrote:
>
>
> On Tue, 24 May 2011, Marc-Andr? Laverdi?re wrote:
>
>> It is not over... It is not in the CVS repository yet :D
>>
>> What would be the next step?
>
> It was not clear to me that the discussion between you and Craig had
> resulted in a final code version.  Apparently you think so.  Craig do
> you concur?

I'm happy with the state of the code, but should really test it properly
before signing off on that. In particular, I need to test PKCS#12 cert
files and test a JECKS keystore containing multiple keys only one of
which is valid to access Pg.

On the other hand, I'm swamped at the moment and unsure if I'll get to
that in a reasonable amount of time. The tests Marc-André wrote
demonstrate the core functionality pretty well, and the code would be
good to get into the official codebase to save others from duplicating
the same work over and over as both Marc-André and I have each done already.

Argh. I'm going to have to come back to that, as I have a backup server
to fix. Maybe it's best if you have a look and see what you think of it,
while I try to find some time to do some more testing.

> Perhaps some documentation updates
> would be in order, but I haven't looked at the code yet to know what
> might be appropriate.

Some documentation updates are definitely in order, to sit alongside the
existing documentation for the non-validating ssl factory.


By the way, I _do_ think it'd be useful to add support for constructing
the socket factory with:

  FactoryClass(String arg, Properties jdbcProperties)

... where the properties argument contains all the Pg JDBC properties
like the user name and password. It'd make it easier for apps to pass
custom args into a socket factory, especially things like the password
to the user's private key that they don't want to have to put in the
sslocketfactoryarg string.

I could also then produce a second version of the cert factory for
people to use that got all its settings from the jdbc connection
properties instead of the sytem properties.

I wouldn't suggest adding that now, though, but maybe as a revision once
the working code is already committed.

--
Craig Ringer

pgsql-jdbc by date:

Previous
From: Kris Jurka
Date:
Subject: Re: Support for cert auth in JDBC
Next
From: "David Johnston"
Date:
Subject: Inconsistent "Set Local search_path" behavior in JDBC