| From: | Radosław Smogura <rsmogura(at)softperience(dot)eu> |
|---|---|
| To: | eyal edri <eyal(dot)edri(at)gmail(dot)com> |
| Cc: | <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres |
| Date: | 2011-06-08 09:43:31 |
| Message-ID: | d6a2f6f9a4a7e42432cfe0e756e74849@mail.softperience.eu |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote:
> What settings would you recommend for using postgres in an enterprise
> application together with jboss?
>
> there are numerous auth options (from the documentation):
>
> 19.3.1. Trust authentication [1]19.3.2. Password authentication [2]
> 19.3.3. GSSAPI authentication [3]19.3.4. SSPI authentication [4]
> 19.3.5. Kerberos authentication [5]19.3.6. Ident-based
> authentication [6] 19.3.7. LDAP authentication
> [7]19.3.8. Certificate authentication [8] 19.3.9. PAM authentication
> [9]
> and im not sure that the jdbc driver even supports all of them when
> jboss needs to access the db.
> currently ive chosen MD5 as the auth, but is that the best option?
> thanks
> Eyal.
>
> Links:
> ------
> [1]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-TRUST
> [2]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PASSWORD
> [3]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#GSSAPI-AUTH
> [4]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#SSPI-AUTH
> [5]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
> [6]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-IDENT
> [7]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-LDAP
> [8]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-CERT
> [9]
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PAM
It doesn't matter so much. I actually prefer storing user
names/password in not a system accounts (so password in db, or LDAP -
simpler to migrate settings). Certificate maybe hard to configure on
JBoss and other application servers (this includes if something will go
wrong long time to restore), but I think it's most secure, as your key
store may be encrypted.
You should actually only consider safty of storing of such passwords in
database. If with md5 the password isn't digested like in DIGEST HTTP
auth, and only md5 shortcut is transfferd it has no meaning if you will
transfer over network clear password or md5 password (ok has if you use
same password in at least two services both storing password with md5).
On higher level you may note that MD5 is little bit out-dated and it's
not considered secure, currently I think only SHA-256 is secure.
If you suspect that someone on your network may sniff password use cert
auth or kerberos or one of it mutations.
Regards,
Radek
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Leonardo Francalanci | 2011-06-08 09:54:57 | Re: Postgres or Greenplum |
| Previous Message | Craig Ringer | 2011-06-08 09:33:16 | Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres |