Search Postgresql Archives

Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote:

What settings would you recommend for using postgres in an enterprise
application together with jboss?

there are numerous auth options (from the documentation):

 19.3.1.ÂTrust authentication [1]19.3.2.ÂPassword authentication [2]
19.3.3.ÂGSSAPI authentication [3]19.3.4.ÂSSPI authentication [4]
19.3.5.ÂKerberos authentication [5]19.3.6.ÂIdent-based
authentication [6] 19.3.7.ÂLDAP authentication
[7]19.3.8.ÂCertificate authentication [8] 19.3.9.ÂPAM authentication
[9]
and im not sure that the jdbc driver even supports all of them when
jboss needs to access the db.
currently ive chosen MD5 as the auth, but is that the best option?
thanks
Eyal.

Links:
------
[1]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-TRUST
[2]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PASSWORD
[3]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#GSSAPI-AUTH
[4]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#SSPI-AUTH
[5]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
[6]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-IDENT
[7]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-LDAP
[8]

http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-CERT
[9] http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PAM
It doesn't matter so much. I actually prefer storing user names/password in not a system accounts (so password in db, or LDAP - simpler to migrate settings). Certificate maybe hard to configure on JBoss and other application servers (this includes if something will go wrong long time to restore), but I think it's most secure, as your key store may be encrypted.
You should actually only consider safty of storing of such passwords in database. If with md5 the password isn't digested like in DIGEST HTTP auth, and only md5 shortcut is transfferd it has no meaning if you will transfer over network clear password or md5 password (ok has if you use same password in at least two services both storing password with md5). On higher level you may note that MD5 is little bit out-dated and it's not considered secure, currently I think only SHA-256 is secure.
If you suspect that someone on your network may sniff password use cert auth or kerberos or one of it mutations. 

Regards,
Radek

--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux