Quick survey of current approaches reveals that unsurprisingly, this area is full of Enterprise Development Goodness
(i.e. it's a complete mess).
SQL Server uses the "authentication" and "authenticationScheme" connection
properties.
https://docs.microsoft.com/en-us/sql/connect/jdbc/setting-the-connection-properties?view=sql-server-2017
Or SQL Server can use extra fields on the URL like
jdbc:jtds:sqlserver://<MSSQL_HOST:1433;databaseName=<DB_NAME>;domain=<DOMAIN>;integratedSecurity=true;authenticationScheme=JavaKerberos
https://docs.microsoft.com/en-us/sql/connect/jdbc/using-kerberos-integrated-authentication-to-connect-to-sql-server?view=sql-server-2017
PostgreSQL uses the "jaasLogin" connection property:
https://jdbc.postgresql.org/documentation/head/connect.html
MySQL uses a "com.mysql.jdbc.authentication.MysqlClearPasswordPlugin" property:
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-using-pam.html
On 2018/05/14 10:20 PM, AleVen wrote:
In my mind external authentication should be plugged in as an additional option without creating incompatibilities
(especially in the protocol)
Defintely.
It could be obtained by using connectionInfo properties; a new client side
property AUTHREALM={xxx} trigger:
* on client to store the password in a temporary property (like _PASSWORD)
* on server side it act as a flag for externally authenticated users
That sounds reasonable. The server should however, be explicitly configured to turn on external auth via one of our
usual SET property things.
Another point is how to model it:
- it would be great to define external users as temporary database users
- rights of external users to object database managed trough roles
- mapping between external users and database roles performed during
authentication
Whatever you do here I'd prefer it be hidden behind some interface that other people can implement. You are welcome to
supply a default example implementation that does exactly what you want.
If need be we can tweak some other parts of H2 to make it easier (e.g. adding a
TEMPORARY property to CREATE USER)
The reason being that everybody is going to want something a little different.
Otherwise, sounds good!
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
