[infinispan-dev] Hot Rod secured by default
rvansa at redhat.com
Thu Mar 30 12:04:44 EDT 2017
I don't see an example/quickstart using security on the tutorials page
. Could you provide one that would show what all would the user have
to configure in order to do HotRod hello world?
While secure OOTB is good, I like performant OOTB. And it seems to me
that "I need security" is something they'll probably think about when
deploying (if they need that), and will look it up, I wouldn't like to
see "turn off security" in the perf tuning guide. So I'd say -1 to SSL
-1 to PLAIN authentication without encryption, that's not a safe
On 03/30/2017 02:39 PM, Tristan Tarrant wrote:
> Let me add another item:
> combined with Sebastian's PR  we could also turn on encryption by
> default using a self-signed certificate. We would also need to have an
> easy option (i.e. a boolean, false by default) on the Hot Rod clients to
> trust all certs.
> This means that a Hot Rod client would need to be configured as follows:
> ConfigurationBuilder clientBuilder = new ConfigurationBuilder();
> without having to manually set up callback handlers or trustmanagers.
> I don't think this would affect the user experience too much.
>  https://github.com/infinispan/infinispan/pull/5036
> On 30/03/2017 14:25, Tristan Tarrant wrote:
>> Dear all,
>> after a mini chat on IRC, I wanted to bring this to everybody's attention.
>> We should make the Hot Rod endpoint require authentication in the
>> out-of-the-box configuration.
>> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
>> mechanism against the ApplicationRealm and require users to run the
>> add-user script.
>> This would achieve two goals:
>> - secure out-of-the-box configuration, which is always a good idea
>> - access to the "protected" schema and script caches which is prevented
>> when not on loopback on non-authenticated endpoints.
Radim Vansa <rvansa at redhat.com>
JBoss Performance Team
More information about the infinispan-dev