- Notifications
You must be signed in to change notification settings - Fork904
Support default GSS credentials in the Java Postgres client#3451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
vlsi approved these changesNov 22, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This looks good to me.
@davecramer , WDYT?
187b906 intopgjdbc:master 16 of 19 checks passed
Uh oh!
There was an error while loading.Please reload this page.
Thanks very much@vlsi and@davecramer! |
Is that also supposed to work with default/native cache on Windows SPSS? |
Since we don't have a windows environment to test it's hard to know. If you can test this it would be appreciated. |
I am on it. maybe it’s not relevant or I had a th8nko, since it has it’s own spnego and sspi modes (lets see… what i can see) |
Some testing this morning on Windows suggests that this isn't needed - it just works as it should - you need "jaasLogin=false", and it'll skip trying to use JAAS and just use native Windows auth - This doesn't work in the same way on Linux, where you could have a variety of different kerberos configurations - e.g. if you have a setup where username@DEFAULT_REALM isn't your default principal name, or you need to use something like KCM as opposed to just a ccache on disk (JAAS/JGSS don't support KCM using the pure Java code, you need it to drop to using the system libs with In our corp environment, if I just set |
Java's support for Kerberos has always been...strained, not helped by enterprise vendors offering Kerberos support with clearly no understanding on how it really works. JAAS in the JVM itself is one of the worst - all the docs make it sound like you basically have to use a keytab, and the set of options to just make it use the local ccache without any other magic are pretty baffling to a new user. Enabling 'native' JGSS support in the JVM doesn't work for credential acquisition via JAAS on Linux (yet does on Mac/Windows) - so if you really need the system libraries/config to be used (e.g. to support KCM), you can't. And nearly everything uses JAAS... :( We have a corporate Kerberos environment where we ensure that users always have the right TGT/credentials wherever they need them - we nearly never want a user to obtain a fresh set of credentials from somewhere, because that's almost certainly not what they want. That all said - I should say that pgjdbc was already good in that it supported a lot of the right things - e.g. auto mode for SSPI, and more straightforward Linux MIT/Heimdal setups probably just work out the box with a file based ccache and It's possible that with a little more work a sensible |
Some further testing suggests that Anyway, just thought it was worth mentioning! |
@nrhall This is awesome, you are correct it is poorly implemented and documented. |
I'd be happy to help - I can't promise to have a lot of spare time to do actual dev work, but happy to try and get to a point where we have a working test environment that makes it easy to run the tests. I might need a few pointers on which of the tests are relevant - I did spend a little time looking through when I submitted this originally but I wasn't quite sure. |
(I should add that over time, I think we'll rely quite a lot on this library, and we're an OSS-friendly company, so we'll definitely contribute back fixes wherever we can) |
I wrote thishttps://github.com/pgjdbc/pgjdbc/tree/master/test-gss at one point. I'm pretty sure it's stale as I haven't run it in a while. Perhaps you can use it as a starting point ? |
Thanks@davecramer - I'll try and get some time to look at this. No timescale promises, but it would be good to have a working set of tests here. |
Very much apreciated! (if you want to add to it, can you say if you use SSPI on Windows clients with (Linux) Servers in a Domain without local credential files? Does that work now despite credential guard?) |
As it happened, I was testing on a Win11 host, which has CredentialGuard enabled... And yes - those clients talk to Linux servers, some in MIT Kerberos realms using Linux MIT KDCs, others using Windows AD KDCs. |
benkard added a commit to benkard/mulkcms2 that referenced this pull requestJul 4, 2025
This MR contains the following updates:| Package | Type | Update | Change ||---|---|---|---|| [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.247.0` -> `^0.274.0`](https://renovatebot.com/diffs/npm/flow-bin/0.247.1/0.274.2) || [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.7.4` -> `42.7.7` || [org.liquibase:liquibase-maven-plugin](http://www.liquibase.org/liquibase-maven-plugin) ([source](https://github.com/liquibase/liquibase)) | build | minor | `4.29.2` -> `4.32.0` || [org.jsoup:jsoup](https://jsoup.org/) ([source](https://github.com/jhy/jsoup)) | compile | minor | `1.18.1` -> `1.21.1` || [net.java.dev.jna:jna](https://github.com/java-native-access/jna) | compile | minor | `5.15.0` -> `5.17.0` || [io.hypersistence:hypersistence-utils-hibernate-70](https://github.com/vladmihalcea/hypersistence-utils) | compile | patch | `3.10.0` -> `3.10.1` || [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.43.0` -> `2.44.5` || [org.apache.maven.plugins:maven-enforcer-plugin](https://maven.apache.org/enforcer/) | build | minor | `3.5.0` -> `3.6.0` || [org.apache.maven.plugins:maven-compiler-plugin](https://maven.apache.org/plugins/) | build | minor | `3.13.0` -> `3.14.0` |---### Release Notes<details><summary>flowtype/flow-bin</summary>### [`v0.274.2`](flow/flow-bin@33ba0ae...7a5fe2f)[Compare Source](flow/flow-bin@33ba0ae...7a5fe2f)### [`v0.274.1`](flow/flow-bin@2e4378a...33ba0ae)[Compare Source](flow/flow-bin@2e4378a...33ba0ae)### [`v0.274.0`](flow/flow-bin@c5226c9...2e4378a)[Compare Source](flow/flow-bin@c5226c9...2e4378a)### [`v0.273.1`](flow/flow-bin@b27a083...c5226c9)[Compare Source](flow/flow-bin@b27a083...c5226c9)### [`v0.272.2`](flow/flow-bin@bbfb18b...b27a083)[Compare Source](flow/flow-bin@bbfb18b...b27a083)### [`v0.272.1`](flow/flow-bin@0d366a0...bbfb18b)[Compare Source](flow/flow-bin@0d366a0...bbfb18b)### [`v0.272.0`](flow/flow-bin@d8aeeaf...0d366a0)[Compare Source](flow/flow-bin@d8aeeaf...0d366a0)### [`v0.271.0`](flow/flow-bin@4f66822...d8aeeaf)[Compare Source](flow/flow-bin@4f66822...d8aeeaf)### [`v0.270.0`](flow/flow-bin@c6688e6...4f66822)[Compare Source](flow/flow-bin@c6688e6...4f66822)### [`v0.269.1`](flow/flow-bin@64d5dff...c6688e6)[Compare Source](flow/flow-bin@64d5dff...c6688e6)### [`v0.268.0`](flow/flow-bin@e5dc5e2...64d5dff)[Compare Source](flow/flow-bin@e5dc5e2...64d5dff)### [`v0.267.0`](flow/flow-bin@708e9da...e5dc5e2)[Compare Source](flow/flow-bin@708e9da...e5dc5e2)### [`v0.266.1`](flow/flow-bin@a25570a...708e9da)[Compare Source](flow/flow-bin@a25570a...708e9da)### [`v0.266.0`](flow/flow-bin@9fe14be...a25570a)[Compare Source](flow/flow-bin@9fe14be...a25570a)### [`v0.265.3`](flow/flow-bin@e35201f...9fe14be)[Compare Source](flow/flow-bin@e35201f...9fe14be)### [`v0.265.2`](flow/flow-bin@3310f3b...e35201f)[Compare Source](flow/flow-bin@3310f3b...e35201f)### [`v0.265.1`](flow/flow-bin@3d9eb6b...3310f3b)[Compare Source](flow/flow-bin@3d9eb6b...3310f3b)### [`v0.265.0`](flow/flow-bin@c27e9f2...3d9eb6b)[Compare Source](flow/flow-bin@c27e9f2...3d9eb6b)### [`v0.264.0`](flow/flow-bin@fbd62c2...c27e9f2)[Compare Source](flow/flow-bin@fbd62c2...c27e9f2)### [`v0.263.0`](flow/flow-bin@6f390f3...fbd62c2)[Compare Source](flow/flow-bin@6f390f3...fbd62c2)### [`v0.262.0`](flow/flow-bin@7cdf16d...6f390f3)[Compare Source](flow/flow-bin@7cdf16d...6f390f3)### [`v0.261.2`](flow/flow-bin@299a032...7cdf16d)[Compare Source](flow/flow-bin@299a032...7cdf16d)### [`v0.261.1`](flow/flow-bin@5aafae9...299a032)[Compare Source](flow/flow-bin@5aafae9...299a032)### [`v0.261.0`](flow/flow-bin@b630c2e...5aafae9)[Compare Source](flow/flow-bin@b630c2e...5aafae9)### [`v0.260.0`](flow/flow-bin@3ad8609...b630c2e)[Compare Source](flow/flow-bin@3ad8609...b630c2e)### [`v0.259.1`](flow/flow-bin@518e655...3ad8609)[Compare Source](flow/flow-bin@518e655...3ad8609)### [`v0.259.0`](flow/flow-bin@6b44f16...518e655)[Compare Source](flow/flow-bin@6b44f16...518e655)### [`v0.258.1`](flow/flow-bin@f896a24...6b44f16)[Compare Source](flow/flow-bin@f896a24...6b44f16)### [`v0.258.0`](flow/flow-bin@d56a9db...f896a24)[Compare Source](flow/flow-bin@d56a9db...f896a24)### [`v0.257.1`](flow/flow-bin@3833ba2...d56a9db)[Compare Source](flow/flow-bin@3833ba2...d56a9db)### [`v0.257.0`](flow/flow-bin@9df2d7e...3833ba2)[Compare Source](flow/flow-bin@9df2d7e...3833ba2)### [`v0.256.0`](flow/flow-bin@b2ef58c...9df2d7e)[Compare Source](flow/flow-bin@b2ef58c...9df2d7e)### [`v0.255.0`](flow/flow-bin@e96e0c0...b2ef58c)[Compare Source](flow/flow-bin@e96e0c0...b2ef58c)### [`v0.254.2`](flow/flow-bin@5d4eb96...e96e0c0)[Compare Source](flow/flow-bin@5d4eb96...e96e0c0)### [`v0.254.1`](flow/flow-bin@386571a...5d4eb96)[Compare Source](flow/flow-bin@386571a...5d4eb96)### [`v0.254.0`](flow/flow-bin@2d1ed37...386571a)[Compare Source](flow/flow-bin@2d1ed37...386571a)### [`v0.253.0`](flow/flow-bin@8f3f2d6...2d1ed37)[Compare Source](flow/flow-bin@8f3f2d6...2d1ed37)### [`v0.252.0`](flow/flow-bin@f1169c6...8f3f2d6)[Compare Source](flow/flow-bin@f1169c6...8f3f2d6)### [`v0.251.1`](flow/flow-bin@c50c846...f1169c6)[Compare Source](flow/flow-bin@c50c846...f1169c6)### [`v0.251.0`](flow/flow-bin@41582c8...c50c846)[Compare Source](flow/flow-bin@41582c8...c50c846)### [`v0.250.0`](flow/flow-bin@030d7cf...41582c8)[Compare Source](flow/flow-bin@030d7cf...41582c8)### [`v0.249.0`](flow/flow-bin@7f53cc6...030d7cf)[Compare Source](flow/flow-bin@7f53cc6...030d7cf)### [`v0.248.1`](flow/flow-bin@e6851f8...7f53cc6)[Compare Source](flow/flow-bin@e6851f8...7f53cc6)### [`v0.248.0`](flow/flow-bin@70454fd...e6851f8)[Compare Source](flow/flow-bin@70454fd...e6851f8)</details><details><summary>pgjdbc/pgjdbc</summary>### [`v42.7.7`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4277-2025-06-10)##### Security- security: **Client Allows Fallback to Insecure Authentication Despite channelBinding=require configuration.** Fix `channel binding required` handling to reject non-SASL authentication Previously, when channel binding was set to "require", the driver would silently ignore this requirement for non-SASL authentication methods. This could lead to a false sense of security when channel binding was explicitly requested but not actually enforced. The fix ensures that when channel binding is set to "require", the driver will reject connections that use non-SASL authentication methods or when SASL authentication has not completed properly. See the [Security Advisory](GHSA-hq9p-pm7w-8p54) for more detail. Reported by [George MacKerron](https://github.com/jawj) The following [CVE-2025-49146](https://nvd.nist.gov/vuln/detail/CVE-2025-49146) has been issued##### Added- test: Added ChannelBindingRequiredTest to verify proper behavior of channel binding settings### [`v42.7.6`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4276)##### Features- fix: Enhanced DatabaseMetadata.getIndexInfo() method, added index comment as REMARKS property [MR #​3513](pgjdbc/pgjdbc#3513)##### Performance Improvements- performance: Improve ResultSetMetadata.fetchFieldMetaData by using IN row values instead of UNION ALL for improved query performance (later reverted) [MR #​3510](pgjdbc/pgjdbc#3510)- feat:Use a single simple query for all startup parameters, so groupStartupParameters is no longer needed [MR #​3613](pgjdbc/pgjdbc#3613)-### [`v42.7.5`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4275-2025-01-14-080000--0400)##### Added- ci: Test with Java 23 [MR #​3381](pgjdbc/pgjdbc#3381)##### Fixed- regression: revert change in [`fc60537`](pgjdbc/pgjdbc@fc60537) [MR #​3476](pgjdbc/pgjdbc#3476)- fix: PgDatabaseMetaData implementation of catalog as param and return value [MR #​3390](pgjdbc/pgjdbc#3390)- fix: Support default GSS credentials in the Java Postgres client [MR #​3451](pgjdbc/pgjdbc#3451)- fix: return only the transactions accessible by the current_user in XAResource.recover [MR #​3450](pgjdbc/pgjdbc#3450)- feat: don't force send extra_float_digits for PostgreSQL >= 12 fix [Issue #​3432](pgjdbc/pgjdbc#3432) [MR #​3446](pgjdbc/pgjdbc#3446)- fix: exclude "include columns" from the list of primary keys [MR #​3434](pgjdbc/pgjdbc#3434)- perf: Enhance the meta query performance by specifying the oid. [MR #​3427](pgjdbc/pgjdbc#3427)- feat: support getObject(int, byte\[].class) for bytea [MR #​3274](pgjdbc/pgjdbc#3274)- docs: document infinity and some minor edits [MR #​3407](pgjdbc/pgjdbc#3407)- fix: Added way to check for major server version, fixed check for RULE [MR #​3402](pgjdbc/pgjdbc#3402)- docs: fixed remaining paragraphs [MR #​3398](pgjdbc/pgjdbc#3398)- docs: fixed paragraphs in javadoc comments [MR #​3397](pgjdbc/pgjdbc#3397)- fix: Reuse buffers and reduce allocations in GSSInputStream addresses [Issue #​3251](pgjdbc/pgjdbc#3251) [MR #​3255](pgjdbc/pgjdbc#3255)- chore: Update Gradle to 8.10.2 [MR #​3388](pgjdbc/pgjdbc#3388)- fix: getSchemas() [MR #​3386](pgjdbc/pgjdbc#3386)- fix: Update rpm postgresql-jdbc.spec.tpl with scram-client [MR #​3324](pgjdbc/pgjdbc#3324)- fix: Clearing thisRow and rowBuffer on close() of ResultSet [Issue #​3383](pgjdbc/pgjdbc#3383) [MR #​3384](pgjdbc/pgjdbc#3384)- fix: Package was renamed to maven-bundle-plugin [MR #​3382](pgjdbc/pgjdbc#3382)- fix: As of version 18 the RULE privilege has been removed [MR #​3378](pgjdbc/pgjdbc#3378)- fix: use buffered inputstream to create GSSInputStream [MR #​3373](pgjdbc/pgjdbc#3373)- test: get rid of 8.4, 9.0 pg versions and use >= jdk version 17 [MR #​3372](pgjdbc/pgjdbc#3372)- Changed docker-compose version and renamed script file in instructions to match the real file name [MR #​3363](pgjdbc/pgjdbc#3363)- test:Do not assume "test" database in DatabaseMetaDataTransactionIsolationTest [MR #​3364](pgjdbc/pgjdbc#3364)- try to categorize dependencies [MR #​3362](pgjdbc/pgjdbc#3362)</details><details><summary>liquibase/liquibase</summary>### [`v4.32.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4320-is-a-major-release)[Compare Source](liquibase/liquibase@v4.31.1...v4.32.0)See the [Liquibase 4.32.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.32.0.html) for the complete set of release information.### [`v4.31.1`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4311-is-a-patch-release)[Compare Source](liquibase/liquibase@v4.31.0...v4.31.1)> \[!IMPORTANT]> Liquibase 4.31.1 patches vulnerability found in Snowlake driver (CVE-2025-24789) and resolves issue with include and logicalfilepath reported in 4.31.0 (see 4.31.0 Release Notes)> \[!NOTE]> See the [Liquibase 4.31.1 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.31.1.html) for the complete set of release information.### [`v4.31.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4310-is-a-major-release)[Compare Source](liquibase/liquibase@v4.30.0...v4.31.0)> \[!NOTE]> See the [Liquibase 4.31.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.31.0.html) for the complete set of release information.### [`v4.30.0`](https://github.com/liquibase/liquibase/blob/HEAD/changelog.txt#Liquibase-4300-is-a-major-release)[Compare Source](liquibase/liquibase@v4.29.2...v4.30.0)> \[!IMPORTANT]> Liquibase 4.30.0 contains new capabilities and notable enhancements for Liquibase OSS and Pro users including Anonymous Analytics and deprecation of the MacOS dmg installer.> \[!NOTE]> See the [Liquibase 4.30.0 Release Notes](https://docs.liquibase.com/start/release-notes/liquibase-release-notes/liquibase-4.30.0.html) for the complete set of release information.</details><details><summary>jhy/jsoup</summary>### [`v1.21.1`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1211-2025-Jun-23)##### Changes- Removed previously deprecated methods. [#​2317](jhy/jsoup#2317)- Deprecated the `:matchText` pseduo-selector due to its side effects on the DOM; use the new `::textnode` selector and the `Element#selectNodes(String css, Class type)` method instead. [#​2343](jhy/jsoup#2343)- Deprecated `Connection.Response#bufferUp()` in lieu of `Connection.Response#readFully()` which can throw a checked IOException.- Deprecated internal methods `Validate#ensureNotNull` (replaced by typed `Validate#expectNotNull`); protected HTML appenders from Attribute and Node.- If you happen to be using any of the deprecated methods, please take the opportunity now to migrate away from them, as they will be removed in a future release.##### Improvements- Enhanced the `Selector` to support direct matching against nodes such as comments and text nodes. For example, you can now find an element that follows a specific comment: `::comment:contains(prices) + p` will select `p` elements immediately after a `<!-- prices: -->` comment. Supported types include `::node`, `::leafnode`, `::comment`, `::text`, `::data`, and `::cdata`. Node contextual selectors like `::node:contains(text)`, `:matches(regex)`, and `:blank` are also supported. Introduced `Element#selectNodes(String css)` and `Element#selectNodes(String css, Class nodeType)` for direct node selection. [#​2324](jhy/jsoup#2324)- Added `TagSet#onNewTag(Consumer<Tag> customizer)`: register a callback that’s invoked for each new or cloned Tag when it’s inserted into the set. Enables dynamic tweaks of tag options (for example, marking all custom tags as self-closing, or everything in a given namespace as preserving whitespace).- Made `TokenQueue` and `CharacterReader` autocloseable, to ensure that they will release their buffers back to the buffer pool, for later reuse.- Added `Selector#evaluatorOf(String css)`, as a clearer way to obtain an Evaluator from a CSS query. An alias of `QueryParser.parse(String css)`.- Custom tags (defined via the `TagSet`) in a foreign namespace (e.g. SVG) can be configured to parse as data tags.- Added `NodeVisitor#traverse(Node)` to simplify node traversal calls (vs. importing `NodeTraversor`).- Updated the default user-agent string to improve compatibility. [#​2341](jhy/jsoup#2341)- The HTML parser now allows the specific text-data type (Data, RcData) to be customized for known tags. (Previously, that was only supported on custom tags.) [#​2326](jhy/jsoup#2326).- Added `Connection#readFully()` as a replacement for `Connection#bufferUp()` with an explicit IOException. Similarly, added `Connection#readBody()` over `Connection#body()`. Deprecated `Connection#bufferUp()`. [#​2327](jhy/jsoup#2327)- When serializing HTML, the `<` and `>` characters are now escaped in attributes. This helps prevent a class of mutation XSS attacks. [#​2337](jhy/jsoup#2337)- Changed `Connection` to prefer using the JDK's HttpClient over HttpUrlConnection, if available, to enable HTTP/2 support by default. Users can disable via `-Djsoup.useHttpClient=false`. [#​2340](jhy/jsoup#2340)##### Bug Fixes- The contents of a `script` in a `svg` foreign context should be parsed as script data, not text. [#​2320](jhy/jsoup#2320)- `Tag#isFormSubmittable()` was updating the Tag's options. [#​2323](jhy/jsoup#2323)- The HTML pretty-printer would incorrectly trim whitespace when text followed an inline element in a block element. [#​2325](jhy/jsoup#2325)- Custom tags with hyphens or other non-letter characters in their names now work correctly as Data or RcData tags. Their closing tags are now tokenized properly. [#​2332](jhy/jsoup#2332)- When cloning an Element, the clone would retain the source's cached child Element list (if any), which could lead to incorrect results when modifying the clone's child elements. [#​2334](jhy/jsoup#2334)### [`v1.20.1`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1201-2025-Apr-29)##### Changes- To better follow the HTML5 spec and current browsers, the HTML parser no longer allows self-closing tags (`<foo />`) to close HTML elements by default. Foreign content (SVG, MathML), and content parsed with the XML parser, still supports self-closing tags. If you need specific HTML tags to support self-closing, you can register a custom tag via the `TagSet` configured in `Parser.tagSet()`, using `Tag#set(Tag.SelfClose)`. Standard void tags (such as `<img>`, `<br>`, etc.) continue to behave as usual and are not affected by this change. [#​2300](jhy/jsoup#2300).- The following internal components have been **deprecated**. If you do happen to be using any of these, please take the opportunity now to migrate away from them, as they will be removed in jsoup 1.21.1. - `ChangeNotifyingArrayList`, `Document.updateMetaCharsetElement()`, `Document.updateMetaCharsetElement(boolean)`, `HtmlTreeBuilder.isContentForTagData(String)`, `Parser.isContentForTagData(String)`, `Parser.setTreeBuilder(TreeBuilder)`, `Tag.formatAsBlock()`, `Tag.isFormListed()`, `TokenQueue.addFirst(String)`, `TokenQueue.chompTo(String)`, `TokenQueue.chompToIgnoreCase(String)`, `TokenQueue.consumeToIgnoreCase(String)`, `TokenQueue.consumeWord()`, `TokenQueue.matchesAny(String...)`##### Functional Improvements- Rebuilt the HTML pretty-printer, to simplify and consolidate the implementation, improve consistency, support custom Tags, and provide a cleaner path for ongoing improvements. The specific HTML produced by the pretty-printer may be different from previous versions. [#​2286](jhy/jsoup#2286).- Added the ability to define custom tags, and to modify properties of known tags, via the `TagSet` tag collection. Their properties can impact both the parse and how content is serialized (output as HTML or XML). [#​2285](jhy/jsoup#2285).- `Element.cssSelector()` will prefer to return shorter selectors by using ancestor IDs when available and unique. E.g. `#id > div > p` instead of `html > body > div > div > p` [#​2283](jhy/jsoup#2283).- Added `Elements.deselect(int index)`, `Elements.deselect(Object o)`, and `Elements.deselectAll()` methods to remove elements from the `Elements` list without removing them from the underlying DOM. Also added `Elements.asList()` method to get a modifiable list of elements without affecting the DOM. (Individual Elements remain linked to the DOM.) [#​2100](jhy/jsoup#2100).- Added support for sending a request body from an InputStream with `Connection.requestBodyStream(InputStream stream)`. [#​1122](jhy/jsoup#1122).- The XML parser now supports scoped xmlns: prefix namespace declarations, and applies the correct namespace to Tags and Attributes. Also, added `Tag#prefix()`, `Tag#localName()`, `Attribute#prefix()`, `Attribute#localName()`, and `Attribute#namespace()` to retrieve these. [#​2299](jhy/jsoup#2299).- CSS identifiers are now escaped and unescaped correctly to the CSS spec. `Element#cssSelector()` will emit appropriately escaped selectors, and the QueryParser supports those. Added `Selector.escapeCssIdentifier()` and `Selector.unescapeCssIdentifier()`. [#​2297](jhy/jsoup#2297), [#​2305](jhy/jsoup#2305)##### Structure and Performance Improvements- Refactored the CSS `QueryParser` into a clearer recursive descent parser. [#​2310](jhy/jsoup#2310).- CSS selectors with consecutive combinators (e.g. `div >> p`) will throw an explicit parse exception. [#​2311](jhy/jsoup#2311).- Performance: reduced the shallow size of an Element from 40 to 32 bytes, and the NodeList from 32 to 24. [#​2307](jhy/jsoup#2307).- Performance: reduced GC load of new StringBuilders when tokenizing input HTML. [#​2304](jhy/jsoup#2304).- Made `Parser` instances threadsafe, so that inadvertent use of the same instance across threads will not lead to errors. For actual concurrency, use `Parser#newInstance()` per thread. [#​2314](jhy/jsoup#2314).##### Bug Fixes- Element names containing characters invalid in XML are now normalized to valid XML names when serializing. [#​1496](jhy/jsoup#1496).- When serializing to XML, characters that are invalid in XML 1.0 should be removed (not encoded). [#​1743](jhy/jsoup#1743).- When converting a `Document` to the W3C DOM in `W3CDom`, elements with an attribute in an undeclared namespace now get a declaration of `xmlns:prefix="undefined"`. This allows subsequent serialization to XML via `W3CDom.asString()` to succeed. [#​2087](jhy/jsoup#2087).- The `StreamParser` could emit the final elements of a document twice, due to how `onNodeCompleted` was fired when closing out the stack. [#​2295](jhy/jsoup#2295).- When parsing with the XML parser and error tracking enabled, the trailing `?` in `<?xml version="1.0"?>` would incorrectly emit an error. [#​2298](jhy/jsoup#2298).- Calling `Element#cssSelector()` on an element with combining characters in the class or ID now produces the correct output. [#​1984](jhy/jsoup#1984).### [`v1.19.1`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1191-2025-Mar-04)##### Changes- Added support for **http/2** requests in `Jsoup.connect()`, when running on Java 11+, via the Java HttpClient implementation. [#​2257](jhy/jsoup#2257). - In this version of jsoup, the default is to make requests via the HttpUrlConnection implementation: use **`System.setProperty("jsoup.useHttpClient", "true");`** to enable making requests via the HttpClient instead , which will enable http/2 support, if available. This will become the default in a later version of jsoup, so now is a good time to validate it. - If you are repackaging the jsoup jar in your deployment (i.e. creating a shaded- or a fat-jar), make sure to specify that as a Multi-Release JAR. - If the `HttpClient` impl is not available in your JRE, requests will continue to be made via `HttpURLConnection` (in `http/1.1` mode).- Updated the minimum Android API Level validation from 10 to **21**. As with previous jsoup versions, Android developers need to enable core library desugaring. The minimum Java version remains Java 8. [#​2173](jhy/jsoup#2173)- Removed previously deprecated class: `org.jsoup.UncheckedIOException` (replace with `java.io.UncheckedIOException`); moved previously deprecated method `Element Element#forEach(Consumer)` to `void Element#forEach(Consumer())`. [#​2246](jhy/jsoup#2246)- Deprecated the methods `Document#updateMetaCharsetElement(boolean)` and `Document#updateMetaCharsetElement()`, as the setting had no effect. When `Document#charset(Charset)` is called, the document's meta charset or XML encoding instruction is always set. [#​2247](jhy/jsoup#2247)##### Improvements- When cleaning HTML with a `Safelist` that preserves relative links, the `isValid()` method will now consider these links valid. Additionally, the enforced attribute `rel=nofollow` will only be added to external links when configured in the safelist. [#​2245](jhy/jsoup#2245)- Added `Element#selectStream(String query)` and `Element#selectStream(Evaluator)` methods, that return a `Stream` of matching elements. Elements are evaluated and returned as they are found, and the stream can be terminated early. [#​2092](jhy/jsoup#2092)- `Element` objects now implement `Iterable`, enabling them to be used in enhanced for loops.- Added support for fragment parsing from a `Reader` via `Parser#parseFragmentInput(Reader, Element, String)`. [#​1177](jhy/jsoup#1177)- Reintroduced CLI executable examples, in `jsoup-examples.jar`. [#​1702](jhy/jsoup#1702)- Optimized performance of selectors like `#id .class` (and other similar descendant queries) by around 4.6x, by better balancing the Ancestor evaluator's cost function in the query planner. [#​2254](jhy/jsoup#2254)- Removed the legacy parsing rules for `<isindex>` tags, which would autovivify a `form` element with labels. This is no longer in the spec.- Added `Elements.selectFirst(String cssQuery)` and `Elements.expectFirst(String cssQuery)`, to select the first matching element from an `Elements` list. [#​2263](jhy/jsoup#2263)- When parsing with the XML parser, XML Declarations and Processing Instructions are directly handled, vs bouncing through the HTML parser's bogus comment handler. Serialization for non-doctype declarations no longer end with a spurious `!`. [#​2275](jhy/jsoup#2275)- When converting parsed HTML to XML or the W3C DOM, element names containing `<` are normalized to `_` to ensure valid XML. For example, `<foo<bar>` becomes `<foo_bar>`, as XML does not allow `<` in element names, but HTML5 does. [#​2276](jhy/jsoup#2276)- Reimplemented the HTML5 Adoption Agency Algorithm to the current spec. This handles mis-nested formating / structural elements. [#​2278](jhy/jsoup#2278)##### Bug Fixes- If an element has an `;` in an attribute name, it could not be converted to a W3C DOM element, and so subsequent XPath queries could miss that element. Now, the attribute name is more completely normalized. [#​2244](jhy/jsoup#2244)- For backwards compatibility, reverted the internal attribute key for doctype names to "name". [#​2241](jhy/jsoup#2241)- In `Connection`, skip cookies that have no name, rather than throwing a validation exception. [#​2242](jhy/jsoup#2242)- When running on JDK 1.8, the error `java.lang.NoSuchMethodError: java.nio.ByteBuffer.flip()Ljava/nio/ByteBuffer;` could be thrown when calling `Response#body()` after parsing from a URL and the buffer size was exceeded. [#​2250](jhy/jsoup#2250)- For backwards compatibility, allow `null` InputStream inputs to `Jsoup.parse(InputStream stream, ...)`, by returning an empty `Document`. [#​2252](jhy/jsoup#2252)- A `template` tag containing an `li` within an open `li` would be parsed incorrectly, as it was not recognized as a "special" tag (which have additional processing rules). Also, added the SVG and MathML namespace tags to the list of special tags. [#​2258](jhy/jsoup#2258)- A `template` tag containing a `button` within an open `button` would be parsed incorrectly, as the "in button scope" check was not aware of the `template` element. Corrected other instances including MathML and SVG elements, also. [#​2271](jhy/jsoup#2271)- An `:nth-child` selector with a negative digit-less step, such as `:nth-child(-n+2)`, would be parsed incorrectly as a positive step, and so would not match as expected. [#​1147](jhy/jsoup#1147)- Calling `doc.charset(charset)` on an empty XML document would throw an `IndexOutOfBoundsException`. [#​2266](jhy/jsoup#2266)- Fixed a memory leak when reusing a nested `StructuralEvaluator` (e.g., a selector ancestor chain like `A B C`) by ensuring cache reset calls cascade to inner members. [#​2277](jhy/jsoup#2277)- Concurrent calls to `doc.clone().append(html)` were not supported. When a document was cloned, its `Parser` was not cloned but was a shallow copy of the original parser. [#​2281](jhy/jsoup#2281)### [`v1.18.3`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1183-2024-Dec-02)##### Bug Fixes- When serializing to XML, attribute names containing `-`, `.`, or digits were incorrectly marked as invalid and removed. [2235](jhy/jsoup#2235)### [`v1.18.2`](https://github.com/jhy/jsoup/blob/HEAD/CHANGES.md#​1182-2024-Nov-27)##### Improvements- Optimized the throughput and memory use throughout the input read and parse flows, with heap allocations and GC down between -6% and -89%, and throughput improved up to +143% for small inputs. Most inputs sizes will see throughput increases of ~ 20%. These performance improvements come through recycling the backing `byte[]` and `char[]` arrays used to read and parse the input. [2186](jhy/jsoup#2186)- Speed optimized `html()` and `Entities.escape()` when the input contains UTF characters in a supplementary plane, by around 49%. [2183](jhy/jsoup#2183)- The form associated elements returned by `FormElement.elements()` now reflect changes made to the DOM, subsequently to the original parse. [2140](jhy/jsoup#2140)- In the `TreeBuilder`, the `onNodeInserted()` and `onNodeClosed()` events are now also fired for the outermost / root `Document` node. This enables source position tracking on the Document node (which was previously unset). And it also enables the node traversor to see the outer Document node. [2182](jhy/jsoup#2182)- Selected Elements can now be position swapped inline using `Elements#set()`. [2212](jhy/jsoup#2212)##### Bug Fixes- `Element.cssSelector()` would fail if the element's class contained a `*` character. [2169](jhy/jsoup#2169)- When tracking source ranges, a text node following an invalid self-closing element may be left untracked. [2175](jhy/jsoup#2175)- When a document has no doctype, or a doctype not named `html`, it should be parsed in Quirks Mode. [2197](jhy/jsoup#2197)- With a selector like `div:has(span + a)`, the `has()` component was not working correctly, as the inner combining query caused the evaluator to match those against the outer's siblings, not children. [2187](jhy/jsoup#2187)- A selector query that included multiple `:has()` components in a nested `:has()` might incorrectly execute. [2131](jhy/jsoup#2131)- When cookie names in a response are duplicated, the simple view of cookies available via `Connection.Response#cookies()` will provide the last one set. Generally it is better to use the [Jsoup.newSession](https://jsoup.org/cookbook/web/request-session) method to maintain a cookie jar, as that applies appropriate path selection on cookies when making requests. [1831](jhy/jsoup#1831)- When parsing named HTML entities, base entities should resolve if they are a prefix of the input token (and not in an attribute). [2207](jhy/jsoup#2207)- Fixed incorrect tracking of source ranges for attributes merged from late-occurring elements that were implicitly created (`html` or `body`). [2204](jhy/jsoup#2204)- Follow the current HTML specification in the tokenizer to allow `<` as part of a tag name, instead of emitting it as a character node. [2230](jhy/jsoup#2230)- Similarly, allow a `<` as the start of an attribute name, vs creating a new element. The previous behavior was intended to parse closer to what we anticipated the author's intent to be, but that does not align to the spec or to how browsers behave. [1483](jhy/jsoup#1483)</details><details><summary>java-native-access/jna</summary>### [`v5.17.0`](https://github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5170)[Compare Source](java-native-access/jna@5.16.0...5.17.0)\================## Features- [#​1658](java-native-access/jna#1658): Add win32 power event constants, types, and functions - [@​eranl](https://github.com/eranl).## Bug Fixes- [#​1647](java-native-access/jna#1647): Fix calls to jnidispatch on Android with 16KB page size (part 2) - [@​BugsBeGone](https://github.com/BugsBeGone).### [`v5.16.0`](https://github.com/java-native-access/jna/blob/HEAD/CHANGES.md#Release-5160)[Compare Source](java-native-access/jna@5.15.0...5.16.0)\==============## Features- [#​1626](java-native-access/jna#1626): Add caching of field list and field validation in `Structure` along with more efficient reentrant read-write locking instead of synchronized() blocks - [@​BrettWooldridge](https://github.com/brettwooldridge)## Bug Fixes- [#​1618](java-native-access/jna#1618): Fix calls to jnidispatch on Android with 16KB page size - [@​Thomyrock](https://github.com/Thomyrock)</details><details><summary>vladmihalcea/hypersistence-utils</summary>### [`v3.10.1`](https://github.com/vladmihalcea/hypersistence-utils/blob/HEAD/changelog.txt#Version-3101---June-14-2025)\================================================================================Update description in pom.xml to mention support of Hibernate 6.6 [#​790](vladmihalcea/hypersistence-utils#790)Remove the central-publishing-maven-plugin dependency [#​789](vladmihalcea/hypersistence-utils#789)</details><details><summary>diffplug/spotless</summary>### [`v2.44.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2440---2024-01-15)##### Added- New static method to `DiffMessageFormatter` which allows to retrieve diffs with their line numbers ([#​1960](diffplug/spotless#1960))- Gradle - Support for formatting shell scripts via [shfmt](https://github.com/mvdan/sh). ([#​1994](diffplug/spotless#1994))##### Fixed- Fix empty files with biome >= 1.5.0 when formatting files that are in the ignore list of the biome configuration file. ([#​1989](diffplug/spotless#1989) fixes [#​1987](diffplug/spotless#1987))- Fix a regression in BufStep where the same arguments were being provided to every `buf` invocation. ([#​1976](diffplug/spotless#1976))##### Changed- Use palantir-java-format 2.39.0 on Java 21. ([#​1948](diffplug/spotless#1948))- Bump default `ktlint` version to latest `1.0.1` -> `1.1.1`. ([#​1973](diffplug/spotless#1973))- Bump default `googleJavaFormat` version to latest `1.18.1` -> `1.19.2`. ([#​1971](diffplug/spotless#1971))- Bump default `diktat` version to latest `1.2.5` -> `2.0.0`. ([#​1972](diffplug/spotless#1972))</details>---### Configuration📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).🚦 **Automerge**: Enabled.♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.--- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box---This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When using the GSSAPI for authentication without JAAS, the postgres Java client library assumes that the GSS (kerberos) principal name is
$user@$REALM, and hard-codes the username in the call toGSSManager.createCredential()before trying to create the credential. In most kerberos environments, this is a perfectly reasonable assumption, but it breaks when the user running the process does not have a user formatted in that way.GSSManager.createCredential()has a different overload that doesn't take any hints over the principal to use to create a credential, which instead looks in your Kerberos ccache to see what the default credential is and uses that instead. This continues to assume that you already have a valid Kerberos ccache (which many corporate environments, such as ours, create automatically for you).This PR allows the user to provide a new option in the postgres connection properties called
gssUseDefaultCredswhich causes the code to call the no-hint version ofcreateCredential()to avoid this particular issue. I'll note that in most cases, getting the default creds is exactly what you want, and it might even be that a better fix is for this to be the default, but I've not done that here.A reasonable question at this point is: well, why not use JAAS to do that for you? The answer is nuanced - if you happen to use a file-based ccache, then you can indeed use JAAS for this. Unfortunately though, JAAS uses the "pure Java" part of the JGSS codebase which (at least on Linux) does not have a "native" implementation, and is limited in the types of ccache supported. In particular, it does not support KCM, which is a standard way to use a host-based daemon to store the key material for you. There are several implementations of KCM (Heimdal Kerberos has one, as do RedHat with SSSD), and using KCM requires the use of the system libraries via the JGSS 'native' implementation, which JAAS does not support.
Thus in addition to avoiding the naming assuming, this PR also allows for the use of existing default credentials via the 'native' JGSS implementation on Linux, and hence supports all ccache types that the system libraries do.
All Submissions:
New Feature Submissions:
./gradlew styleCheckpass ? YesChanges to Existing Features:
No breaks to existing behaviour, as the option defaults to 'false'. It only changes one piece of code, introducing a conditional to use default GSS credentials instead of assuming that the non-fully qualified principal name is the same as the postgres 'user'.
Documentation updated, motivation above.
I'm happy to write tests, but I can't see how the existing GSS code-paths are tested (and I imagine there isn't a sandbox on github where they can be tested). If you have pointers, please provide and I'll work within that.
Yes - these changes work in our Kerberos environment, where we have a slightly unusual setup where the principals that people use day-to-day are not strictly user-principals (this is perfectly valid, but unusual), and where the 'short' (no realm) principal name is derived from the username, but does not equal it.
Tested on RHEL8.