| --- a/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-03-23 07:32:15.000000000 +0100 |
| +++ b/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-03-23 07:41:53.160058718 +0100 |
| @@ -19,7 +19,6 @@ |
| |
| import org.postgresql.PGProperty; |
| import org.postgresql.core.*; |
| -import org.postgresql.sspi.SSPIClient; |
| import org.postgresql.hostchooser.GlobalHostStatusTracker; |
| import org.postgresql.hostchooser.HostChooser; |
| import org.postgresql.hostchooser.HostChooserFactory; |
| @@ -387,11 +386,7 @@ |
| // or an authentication request |
| |
| String password = PGProperty.PASSWORD.get(info); |
| - |
| - /* SSPI negotiation state, if used */ |
| - SSPIClient sspiClient = null; |
| |
| - try { |
| authloop: |
| while (true) |
| { |
| @@ -507,88 +502,16 @@ |
| case AUTH_REQ_SSPI: |
| /* |
| * Use GSSAPI if requested on all platforms, via JSSE. |
| - * |
| - * For SSPI auth requests, if we're on Windows attempt native SSPI |
| - * authentication if available, and if not disabled by setting a |
| - * kerberosServerName. On other platforms, attempt JSSE GSSAPI |
| - * negotiation with the SSPI server. |
| - * |
| - * Note that this is slightly different to libpq, which uses SSPI |
| - * for GSSAPI where supported. We prefer to use the existing Java |
| - * JSSE Kerberos support rather than going to native (via JNA) calls |
| - * where possible, so that JSSE system properties etc continue |
| - * to work normally. |
| - * |
| - * Note that while SSPI is often Kerberos-based there's no guarantee |
| - * it will be; it may be NTLM or anything else. If the client responds |
| - * to an SSPI request via GSSAPI and the other end isn't using Kerberos |
| - * for SSPI then authentication will fail. |
| */ |
| - final String gsslib = PGProperty.GSS_LIB.get(info); |
| - final boolean usespnego = PGProperty.USE_SPNEGO.getBoolean(info); |
| - |
| - boolean useSSPI = false; |
| + org.postgresql.gss.MakeGSS.authenticate(pgStream, host, |
| + user, password, |
| + PGProperty.JAAS_APPLICATION_NAME.get(info), |
| + PGProperty.KERBEROS_SERVER_NAME.get(info), |
| + logger, |
| + PGProperty.USE_SPNEGO.getBoolean(info)); |
| + |
| + break; |
| |
| - /* |
| - * Use SSPI if we're in auto mode on windows and have a |
| - * request for SSPI auth, or if it's forced. Otherwise |
| - * use gssapi. If the user has specified a Kerberos server |
| - * name we'll always use JSSE GSSAPI. |
| - */ |
| - if (gsslib.equals("gssapi")) |
| - logger.debug("Using JSSE GSSAPI, param gsslib=gssapi"); |
| - else if (areq == AUTH_REQ_GSS && !gsslib.equals("sspi")) |
| - logger.debug("Using JSSE GSSAPI, gssapi requested by server and gsslib=sspi not forced"); |
| - else |
| - { |
| - /* Determine if SSPI is supported by the client */ |
| - sspiClient = new SSPIClient(pgStream, |
| - PGProperty.SSPI_SERVICE_CLASS.get(info), |
| - /* Use negotiation for SSPI, or if explicitly requested for GSS */ |
| - areq == AUTH_REQ_SSPI || (areq == AUTH_REQ_GSS && usespnego), |
| - logger); |
| - |
| - useSSPI = sspiClient.isSSPISupported(); |
| - logger.debug("SSPI support detected: " + useSSPI); |
| - |
| - if (!useSSPI) { |
| - /* No need to dispose() if no SSPI used */ |
| - sspiClient = null; |
| - |
| - if (gsslib.equals("sspi")) |
| - throw new PSQLException("SSPI forced with gsslib=sspi, but SSPI not available; set loglevel=2 for details", |
| - PSQLState.CONNECTION_UNABLE_TO_CONNECT); |
| - } |
| - |
| - logger.debug("Using SSPI: " + useSSPI + ", gsslib="+gsslib+" and SSPI support detected"); |
| - } |
| - |
| - if (useSSPI) |
| - { |
| - /* SSPI requested and detected as available */ |
| - sspiClient.startSSPI(); |
| - } |
| - else |
| - { |
| - /* Use JGSS's GSSAPI for this request */ |
| - org.postgresql.gss.MakeGSS.authenticate(pgStream, host, |
| - user, password, |
| - PGProperty.JAAS_APPLICATION_NAME.get(info), |
| - PGProperty.KERBEROS_SERVER_NAME.get(info), |
| - logger, |
| - usespnego); |
| - } |
| - |
| - break; |
| - |
| - case AUTH_REQ_GSS_CONTINUE: |
| - /* |
| - * Only called for SSPI, as GSS is handled by an inner loop |
| - * in MakeGSS. |
| - */ |
| - sspiClient.continueSSPI(l_msgLen - 8); |
| - break; |
| - |
| case AUTH_REQ_OK: |
| /* Cleanup after successful authentication */ |
| if (logger.logDebug()) |
| @@ -609,18 +532,6 @@ |
| throw new PSQLException(GT.tr("Protocol error. Session setup failed."), PSQLState.PROTOCOL_VIOLATION); |
| } |
| } |
| - } finally { |
| - /* Cleanup after successful or failed authentication attempts */ |
| - if (sspiClient != null) |
| - { |
| - try { |
| - sspiClient.dispose(); |
| - } catch (RuntimeException ex) { |
| - logger.log("Unexpected error during SSPI context disposal", ex); |
| - } |
| - |
| - } |
| - } |
| |
| } |
| |