Thread: Java .pgpass reader
Did anyone ever implement code in Java to read Postgres configuration information from a user's .pgpass file - or a more general pg_service.conf - as discussed in this thread back in 2006? > > * *From*: David Fetter <david(at)fetter(dot)org> > * *To*: PostgreSQL JDBC List <pgsql-jdbc(at)postgresql(dot)org> > * *Subject*: pg_service.conf ? > * *Date*: Mon, 13 Mar 2006 19:23:06 -0800 > http://archives.postgresql.org/pgsql-jdbc/2006-03/msg00060.php http://groups.google.com/group/pgsql.interfaces.jdbc/browse_thread/thread/fa5669c89282d898/0f438795270b1a3a My organization uses .pgpass files to securely store and read user's passwords when user run applications in Perl and Python but currently not for Java. A search on Google finds one implementation in Java for reading configuration info from a .pgpass file, but it is provided under a somewhat restrictive license: http://rb.dcache.org/r/1308/ modules/srm/src/org/dcache/srm/util/Pgpass.java <http://rb.dcache.org/r/1308/diff/1/?file=9469#file9469line54> http://www.dcache.org/manuals/dCacheSoftwareLicence.html Of course, it's not like the implementation of this class is very hard, but why reinvent the wheel if you don't have to. Thanks. -- Scott Langley Systems Analyst/Programmer Statistical Center for HIV/AIDS Research and Prevention (SCHARP) Fred Hutchinson Cancer Research Center Seattle, Washington slangley@scharp.org
slangley@scharp.org (Scott Langley) writes: > Did anyone ever implement code in Java to read Postgres configuration > information from a user's .pgpass file - or a more general > pg_service.conf - as discussed in this thread back in 2006? We've done this; it turned out to be something to do not at the level of an individual connection, but rather in a connection pool implementation. That turns out to be not so useful as a "general" solution that would be included in the JDBC driver :-(. -- select 'cbbrowne' || '@' || 'cbbrowne.com'; http://cbbrowne.com/info/internet.html "MS apparently now has a team dedicated to tracking problems with Linux and publicizing them. I guess eventually they'll figure out this back fires... ;)" -- William Burrow <aa126@DELETE.fan.nb.ca>
Dnia środa 16 czerwiec 2010 o 20:07:12 Scott Langley napisał(a): > Did anyone ever implement code in Java to read Postgres configuration > information from a user's .pgpass file - or a more general > pg_service.conf - as discussed in this thread back in 2006? .pgpass - could be a little usefull for desktop JDBC application, and almost useless for server applications (and pgpass was created, as i think, to provide password for server jobs - CRON etc.) pg_service.conf - i think, this is much more interesting, but only for desktop applications; server applications generally connect to database through WEB/EJB/WS + J2EE and J2EE servers supports much more advanced way of name mapping - e.g. the driver could search such file on network share or in user shared folder. :) Implementation of this should be turned off by default, as it could decrease security of servers. > My organization uses .pgpass files to securely store and read user's > passwords when user run applications in Perl and Python but currently > not for Java. Hmm... I will disagre. Storing password in any not-full-user-controled file (or not in wallet type files) is never secure, because hacker at 90% can retrive orginal password (if it's not encrypted with user provided password), or at least can reproduce chain of activities to login to database. In theory the beter way is to use user-in-mind password (but depends who uses application), and use any type of SSO / e-wallets / Active Directory auto login, etc. Ofcourse it's sometimes depends on particular needs. Giving a user password to DB is much more unsecure just because it is - user can see data that it should not see, or perform other bad tasks. (deleting, updating, granting). But... generally i vote for yes. This could be helpfull for some fast and simple applications.
Hi Chris: Would you be willing to share your code for this? I'm still wanting to / planning to implement this for an individual JDBC connection as the Java process that will use it runs once a week as a cron job. And to Radoslaw: Your point about the relatively weak security of storing passwords in .pgpass files is well-taken. But I'm neither the SysAdmin nor the DBA at where I work so I can't easily change policy. However, we are at least required to change our database passwords on a regular basis. Scott Chris Browne wrote: > slangley@scharp.org (Scott Langley) writes: > >> Did anyone ever implement code in Java to read Postgres configuration >> information from a user's .pgpass file - or a more general >> pg_service.conf - as discussed in this thread back in 2006? >> > > We've done this; it turned out to be something to do not at the level > of an individual connection, but rather in a connection pool > implementation. > > That turns out to be not so useful as a "general" solution that would > be included in the JDBC driver :-(. >