The legacy KerberosLoginModule has an option called wrapGssCredential that tells the code building the GSSCredential that it should wrap the constructed credential to prevent improper credential disposal by some DB drivers. It essentially delegates every method to the wrapped GSSCredential but makes dispose() a no-op.

The GSSCredentialSecurityFactory in Elytron doesn't offer an option to wrap the constructed credential.