Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-09 Thread Isak Hansen
On Thu, Jun 9, 2011 at 5:46 AM, Craig Ringer wrote: > On 09/06/11 03:07, Isak Hansen wrote: > >> While MD5 is considered broken for certain applications, it's still >> perfectly valid for auth purposes. > > MD5 rainbow tables can be calculated quickly using services easily > available to anyone (e

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-09 Thread Radosław Smogura
Bill Moran Thursday 09 of June 2011 14:44:31 > In response to Craig Ringer : > > On 09/06/11 03:07, Isak Hansen wrote: > > > While MD5 is considered broken for certain applications, it's still > > > perfectly valid for auth purposes. > > > > MD5 rainbow tables can be calculated quickly using serv

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-09 Thread Bill Moran
In response to Craig Ringer : > On 09/06/11 03:07, Isak Hansen wrote: > > > While MD5 is considered broken for certain applications, it's still > > perfectly valid for auth purposes. > > MD5 rainbow tables can be calculated quickly using services easily > available to anyone (eg: EC2) and rainbo

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-09 Thread Radosław Smogura
On Wed, 8 Jun 2011 21:07:12 +0200, Isak Hansen wrote: On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura wrote: You should actually only consider safty of storing of such passwords in database. If with md5 the password isn't digested like in DIGEST HTTP auth, and only md5 shortcut is transffe

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread Craig Ringer
On 09/06/11 03:07, Isak Hansen wrote: > While MD5 is considered broken for certain applications, it's still > perfectly valid for auth purposes. MD5 rainbow tables can be calculated quickly using services easily available to anyone (eg: EC2) and rainbow tables for passwords up to 8 chars have bee

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread Isak Hansen
On Wed, Jun 8, 2011 at 11:43 AM, Radosław Smogura wrote: > > You should actually only consider safty of storing of such passwords in > database. If with md5 the password isn't digested like in DIGEST HTTP auth, > and only md5 shortcut is transfferd it has no meaning if you will transfer > over net

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread Radosław Smogura
On Wed, 8 Jun 2011 10:18:23 +0300, eyal edri wrote: What settings would you recommend for using postgres in an enterprise application together with jboss? there are numerous auth options (from the documentation): 19.3.1. Trust authentication [1]19.3.2. Password authentication [2] 19.3.3. GSSAP

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread Craig Ringer
On 8/06/2011 3:18 PM, eyal edri wrote: What settings would you recommend for using postgres in an enterprise application together with jboss? Most such applications have the database servers on an isolated network only accessible to the app server, not to the wider world. In these cases you'd

Re: [GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread John R Pierce
On 06/08/11 12:18 AM, eyal edri wrote: currently i've chosen MD5 as the auth, but is that the best option? thats the usual choice for JDBC apps. -- john r pierceN 37, W 122 santa cruz ca mid-left coast -- Sent via pgsql-general mailing l

[GENERAL] Best Practices - Securing an Enterprise application using JBOSS & Postgres

2011-06-08 Thread eyal edri
What settings would you recommend for using postgres in an enterprise application together with jboss? there are numerous auth options (from the documentation): 19.3.1. Trust authentication 19.3.2. Password authenticati