On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote:
What settings would you recommend for using postgres in an enterprise
application together with jboss?
there are numerous auth options (from the documentation):
19.3.1.ÂTrust authentication [1]19.3.2.ÂPassword authentication [2]
19.3.3.ÂGSSAPI authentication [3]19.3.4.ÂSSPI authentication [4]
19.3.5.ÂKerberos authentication [5]19.3.6.ÂIdent-based
authentication [6] 19.3.7.ÂLDAP authentication
[7]19.3.8.ÂCertificate authentication [8] 19.3.9.ÂPAM authentication
[9]
and im not sure that the jdbc driver even supports all of them when
jboss needs to access the db.
currently ive chosen MD5 as the auth, but is that the best option?
thanks
Eyal.
Links:
------
[1]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-TRUST
[2]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PASSWORD
[3]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#GSSAPI-AUTH
[4]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#SSPI-AUTH
[5]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
[6]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-IDENT
[7]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-LDAP
[8]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-CERT
[9]
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PAM
It doesn't matter so much. I actually prefer storing user
names/password in not a system accounts (so password in db, or LDAP -
simpler to migrate settings). Certificate maybe hard to configure on
JBoss and other application servers (this includes if something will go
wrong long time to restore), but I think it's most secure, as your key
store may be encrypted.
You should actually only consider safty of storing of such passwords in
database. If with md5 the password isn't digested like in DIGEST HTTP
auth, and only md5 shortcut is transfferd it has no meaning if you will
transfer over network clear password or md5 password (ok has if you use
same password in at least two services both storing password with md5).
On higher level you may note that MD5 is little bit out-dated and it's
not considered secure, currently I think only SHA-256 is secure.
If you suspect that someone on your network may sniff password use cert
auth or kerberos or one of it mutations.
Regards,
Radek
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general