Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres - Mailing list pgsql-general

From Radosław Smogura
Subject Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Date
Msg-id d6a2f6f9a4a7e42432cfe0e756e74849@mail.softperience.eu
Whole thread Raw
In response to Best Practices - Securing an Enterprise application using JBOSS & Postgres  (eyal edri <eyal.edri@gmail.com>)
Responses Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
List pgsql-general
 On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote:
> What settings would you recommend for using postgres in an enterprise
> application together with jboss?
>
> there are numerous auth options (from the documentation):
>
>  19.3.1. Trust authentication [1]19.3.2. Password authentication [2]
> 19.3.3. GSSAPI authentication [3]19.3.4. SSPI authentication [4]
> 19.3.5. Kerberos authentication [5]19.3.6. Ident-based
> authentication [6] 19.3.7. LDAP authentication
> [7]19.3.8. Certificate authentication [8] 19.3.9. PAM authentication
> [9]
> and im not sure that the jdbc driver even supports all of them when
> jboss needs to access the db.
> currently ive chosen MD5 as the auth, but is that the best option?
> thanks
> Eyal.
>
> Links:
> ------
> [1]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-TRUST
> [2]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PASSWORD
> [3]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#GSSAPI-AUTH
> [4]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#SSPI-AUTH
> [5]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
> [6]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-IDENT
> [7]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-LDAP
> [8]
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-CERT
> [9]
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#AUTH-PAM


 It doesn't matter so much. I actually prefer storing user
 names/password in not a system accounts (so password in db, or LDAP -
 simpler to migrate settings). Certificate maybe hard to configure on
 JBoss and other application servers (this includes if something will go
 wrong long time to restore), but I think it's most secure, as your key
 store may be encrypted.

 You should actually only consider safty of storing of such passwords in
 database. If with md5 the password isn't digested like in DIGEST HTTP
 auth, and only md5 shortcut is transfferd it has no meaning if you will
 transfer over network clear password or md5 password (ok has if you use
 same password in at least two services both storing password with md5).
 On higher level you may note that MD5 is little bit out-dated and it's
 not considered secure, currently I think only SHA-256 is secure.

 If you suspect that someone on your network may sniff password use cert
 auth or kerberos or one of it mutations.

 Regards,
 Radek

pgsql-general by date:

Previous
From: Craig Ringer
Date:
Subject: Re: Best Practices - Securing an Enterprise application using JBOSS & Postgres
Next
From: Leonardo Francalanci
Date:
Subject: Re: Postgres or Greenplum