Security

TLS configuration (SSL / TLS ), authentication mechanisms (SCRAM-SHA-256, MD5, cleartext password, the requireAuth allow-list and channelBinding posture, the AuthenticationPlugin SPI; see Authentication ), and Kerberos via JSSE GSSAPI or Windows-native SSPI (Kerberos, GSSAPI, SSPI ).

For the connection-level security baseline a deployment should adopt, see Configure SSL/TLS (in Quick start) .

See also

The driver’s release-disclosure surface lives outside the documentation tree, on the site’s top-level Security page :

• Release verification : PGP signing keys used for Maven Central uploads, with rollover fingerprints (the active key changed in 42.7.8).
• Known vulnerabilities : the driver’s CVE / GHSA history with impact, patched-in versions and workarounds.
• Third-party CVE status statements : public statements about high-profile CVEs in adjacent libraries (e.g. Log4Shell) and whether pgJDBC is exposed.

• SSL / TLS Configuring TLS for pgJDBC: sslmode levels (disable through verify-full), certificate and key file formats, the custom SSLSocketFactory SPI for application-managed key material, and the channel-binding interaction with SCRAM.
• Authentication Authentication methods pgJDBC supports (SCRAM-SHA-256, MD5, password, Kerberos / GSSAPI / SSPI), the server-driven negotiation, and the hardening levers: requireAuth, channelBinding, scramMaxIterations, AuthenticationPlugin.
• Kerberos, GSSAPI, SSPI Kerberos-based authentication for pgJDBC: JSSE GSSAPI on *nix and cross-platform, Windows-native SSPI via waffle-jna, the gsslib auto-mode dispatch, gssEncMode for GSS-encrypted connections, and the JAAS knobs.