On 8/06/2011 3:18 PM, eyal edri wrote:
What settings would you recommend for using postgres in an enterprise application together with jboss?
Most such applications have the database servers on an isolated network only accessible to the app server, not to the wider world. In these cases you'd usually limit the IP range(s) the database servers will accept connections from, firewall them off, and use a decent auth scheme like md5 or Kerberos. I suspect that most configurations use md5 auth for simplicity, and it's a reasonable choice.
Kerberos is certainly stronger and should be used if your database server and app server are not on the same machine and your network has Kerberos infrastructure already deployed. I wouldn't bother rolling out Kerberos just for PostgreSQL and PgJDBC.
In smaller configurations the database is often on the same machine as the appserver and set to only listen on the loopback address (127.0.0.1). In this case md5 auth is more than sufficient.
Because most app servers use a single username and password to connect to the database and provide a pool of connections, there isn't much advantage to using LDAP or other directory auth schemes. It's really intended for situations where you already have a user directory and you want users in it to all have direct logins to the database system. In an application server you'd usually configure the *app* *server* to auth users against LDAP, using fixed credentials unrelated to the logged in user for its database connections behind the scenes.
Certificate auth with SSL is useful, but probably not necessary or worthwhile for an app server environment.
I'd stick to md5 unless you're already used to Kerberos and have Kerberos infrastructure.
-- Craig Ringer Tech-related writing at http://soapyfrogs.blogspot.com/ -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
