Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres

Поиск
Список
Период
Сортировка
От Radosław Smogura
Тема Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Дата
Msg-id d6a2f6f9a4a7e42432cfe0e756e74849@mail.softperience.eu
обсуждение исходный текст
Ответ на Best Practices - Securing an Enterprise application using JBOSS & Postgres  (eyal edri <eyal.edri@gmail.com>)
Ответы Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres  (Isak Hansen <isak.hansen@gmail.com>)
Список pgsql-general
 On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote:
> What settings would you recommend for using postgres in an enterprise
> application together with jboss?
>
> there are numerous auth options (from the documentation):
>
>  19.3.1. Trust authentication [1]19.3.2. Password authentication [2]
> 19.3.3. GSSAPI authentication [3]19.3.4. SSPI authentication [4]
> 19.3.5. Kerberos authentication [5]19.3.6. Ident-based
> authentication [6] 19.3.7. LDAP authentication
> [7]19.3.8. Certificate authentication [8] 19.3.9. PAM authentication
> [9]
> and im not sure that the jdbc driver even supports all of them when
> jboss needs to access the db.
> currently ive chosen MD5 as the auth, but is that the best option?
> thanks
> Eyal.
>
> Links:
> ------
> [1]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-TRUST
> [2]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PASSWORD
> [3]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#GSSAPI-AUTH
> [4]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#SSPI-AUTH
> [5]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
> [6]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-IDENT
> [7]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-LDAP
> [8]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-CERT
> [9]
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PAM


 It doesn't matter so much. I actually prefer storing user
 names/password in not a system accounts (so password in db, or LDAP -
 simpler to migrate settings). Certificate maybe hard to configure on
 JBoss and other application servers (this includes if something will go
 wrong long time to restore), but I think it's most secure, as your key
 store may be encrypted.

 You should actually only consider safty of storing of such passwords in
 database. If with md5 the password isn't digested like in DIGEST HTTP
 auth, and only md5 shortcut is transfferd it has no meaning if you will
 transfer over network clear password or md5 password (ok has if you use
 same password in at least two services both storing password with md5).
 On higher level you may note that MD5 is little bit out-dated and it's
 not considered secure, currently I think only SHA-256 is secure.

 If you suspect that someone on your network may sniff password use cert
 auth or kerberos or one of it mutations.

 Regards,
 Radek

В списке pgsql-general по дате отправления:

Предыдущее
От: Craig Ringer
Дата:
Сообщение: Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Следующее
От: Leonardo Francalanci
Дата:
Сообщение: Re: Postgres or Greenplum