[infinispan-dev] Hot Rod secured by default
Gustavo Fernandes
gustavo at infinispan.org
Thu Mar 30 09:12:13 EDT 2017
-1 to SSL by default
On Thu, Mar 30, 2017 at 1:39 PM, Tristan Tarrant <ttarrant at redhat.com>
wrote:
> Let me add another item:
>
> combined with Sebastian's PR [1] we could also turn on encryption by
> default using a self-signed certificate. We would also need to have an
> easy option (i.e. a boolean, false by default) on the Hot Rod clients to
> trust all certs.
>
> This means that a Hot Rod client would need to be configured as follows:
>
> ConfigurationBuilder clientBuilder = new ConfigurationBuilder();
> clientBuilder
> .security()
> .authentication()
> .username("user").realm("realm").password("password")
> .ssl()
> .enable().trustAll(true);
>
> without having to manually set up callback handlers or trustmanagers.
>
> I don't think this would affect the user experience too much.
>
> Tristan
>
> [1] https://github.com/infinispan/infinispan/pull/5036
>
> On 30/03/2017 14:25, Tristan Tarrant wrote:
> > Dear all,
> >
> > after a mini chat on IRC, I wanted to bring this to everybody's
> attention.
> >
> > We should make the Hot Rod endpoint require authentication in the
> > out-of-the-box configuration.
> > The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
> > mechanism against the ApplicationRealm and require users to run the
> > add-user script.
> > This would achieve two goals:
> > - secure out-of-the-box configuration, which is always a good idea
> > - access to the "protected" schema and script caches which is prevented
> > when not on loopback on non-authenticated endpoints.
> >
> > Tristan
>
> --
> Tristan Tarrant
> Infinispan Lead
> JBoss, a division of Red Hat
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/infinispan-dev/attachments/20170330/6a3b9b8d/attachment-0001.html
More information about the infinispan-dev
mailing list