--- a/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-10-09 20:55:53.000000000 +0200 +++ b/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-10-14 20:42:48.816753341 +0200 @@ -32,7 +32,6 @@ import org.postgresql.hostchooser.HostChooserFactory; import org.postgresql.hostchooser.HostRequirement; import org.postgresql.hostchooser.HostStatus; -import org.postgresql.sspi.SSPIClient; import org.postgresql.util.GT; import org.postgresql.util.HostSpec; import org.postgresql.util.MD5Digest; @@ -394,11 +393,7 @@ // or an authentication request String password = PGProperty.PASSWORD.get(info); - - /* SSPI negotiation state, if used */ - SSPIClient sspiClient = null; - try { authloop: while (true) { @@ -514,88 +509,16 @@ case AUTH_REQ_SSPI: /* * Use GSSAPI if requested on all platforms, via JSSE. - * - * For SSPI auth requests, if we're on Windows attempt native SSPI - * authentication if available, and if not disabled by setting a - * kerberosServerName. On other platforms, attempt JSSE GSSAPI - * negotiation with the SSPI server. - * - * Note that this is slightly different to libpq, which uses SSPI - * for GSSAPI where supported. We prefer to use the existing Java - * JSSE Kerberos support rather than going to native (via JNA) calls - * where possible, so that JSSE system properties etc continue - * to work normally. - * - * Note that while SSPI is often Kerberos-based there's no guarantee - * it will be; it may be NTLM or anything else. If the client responds - * to an SSPI request via GSSAPI and the other end isn't using Kerberos - * for SSPI then authentication will fail. */ - final String gsslib = PGProperty.GSS_LIB.get(info); - final boolean usespnego = PGProperty.USE_SPNEGO.getBoolean(info); - - boolean useSSPI = false; + org.postgresql.gss.MakeGSS.authenticate(pgStream, host, + user, password, + PGProperty.JAAS_APPLICATION_NAME.get(info), + PGProperty.KERBEROS_SERVER_NAME.get(info), + logger, + PGProperty.USE_SPNEGO.getBoolean(info)); + + break; - /* - * Use SSPI if we're in auto mode on windows and have a - * request for SSPI auth, or if it's forced. Otherwise - * use gssapi. If the user has specified a Kerberos server - * name we'll always use JSSE GSSAPI. - */ - if (gsslib.equals("gssapi")) - logger.debug("Using JSSE GSSAPI, param gsslib=gssapi"); - else if (areq == AUTH_REQ_GSS && !gsslib.equals("sspi")) - logger.debug("Using JSSE GSSAPI, gssapi requested by server and gsslib=sspi not forced"); - else - { - /* Determine if SSPI is supported by the client */ - sspiClient = new SSPIClient(pgStream, - PGProperty.SSPI_SERVICE_CLASS.get(info), - /* Use negotiation for SSPI, or if explicitly requested for GSS */ - areq == AUTH_REQ_SSPI || (areq == AUTH_REQ_GSS && usespnego), - logger); - - useSSPI = sspiClient.isSSPISupported(); - logger.debug("SSPI support detected: " + useSSPI); - - if (!useSSPI) { - /* No need to dispose() if no SSPI used */ - sspiClient = null; - - if (gsslib.equals("sspi")) - throw new PSQLException("SSPI forced with gsslib=sspi, but SSPI not available; set loglevel=2 for details", - PSQLState.CONNECTION_UNABLE_TO_CONNECT); - } - - logger.debug("Using SSPI: " + useSSPI + ", gsslib="+gsslib+" and SSPI support detected"); - } - - if (useSSPI) - { - /* SSPI requested and detected as available */ - sspiClient.startSSPI(); - } - else - { - /* Use JGSS's GSSAPI for this request */ - org.postgresql.gss.MakeGSS.authenticate(pgStream, host, - user, password, - PGProperty.JAAS_APPLICATION_NAME.get(info), - PGProperty.KERBEROS_SERVER_NAME.get(info), - logger, - usespnego); - } - - break; - - case AUTH_REQ_GSS_CONTINUE: - /* - * Only called for SSPI, as GSS is handled by an inner loop - * in MakeGSS. - */ - sspiClient.continueSSPI(l_msgLen - 8); - break; - case AUTH_REQ_OK: /* Cleanup after successful authentication */ if (logger.logDebug()) @@ -616,18 +539,6 @@ throw new PSQLException(GT.tr("Protocol error. Session setup failed."), PSQLState.PROTOCOL_VIOLATION); } } - } finally { - /* Cleanup after successful or failed authentication attempts */ - if (sspiClient != null) - { - try { - sspiClient.dispose(); - } catch (RuntimeException ex) { - logger.log("Unexpected error during SSPI context disposal", ex); - } - - } - } }