<div dir="ltr">-1 to SSL by default<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 30, 2017 at 1:39 PM, Tristan Tarrant <span dir="ltr"><<a href="mailto:ttarrant@redhat.com" target="_blank">ttarrant@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Let me add another item:<br>
<br>
combined with Sebastian's PR [1] we could also turn on encryption by<br>
default using a self-signed certificate. We would also need to have an<br>
easy option (i.e. a boolean, false by default) on the Hot Rod clients to<br>
trust all certs.<br>
<br>
This means that a Hot Rod client would need to be configured as follows:<br>
<br>
ConfigurationBuilder clientBuilder = new ConfigurationBuilder();<br>
clientBuilder<br>
.security()<br>
.authentication()<br>
.username("user").realm("<wbr>realm").password("password")<br>
.ssl()<br>
.enable().trustAll(true);<br>
<br>
without having to manually set up callback handlers or trustmanagers.<br>
<br>
I don't think this would affect the user experience too much.<br>
<br>
Tristan<br>
<br>
[1] <a href="https://github.com/infinispan/infinispan/pull/5036" rel="noreferrer" target="_blank">https://github.com/infinispan/<wbr>infinispan/pull/5036</a><br>
<div class="HOEnZb"><div class="h5"><br>
On 30/03/2017 14:25, Tristan Tarrant wrote:<br>
> Dear all,<br>
><br>
> after a mini chat on IRC, I wanted to bring this to everybody's attention.<br>
><br>
> We should make the Hot Rod endpoint require authentication in the<br>
> out-of-the-box configuration.<br>
> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL<br>
> mechanism against the ApplicationRealm and require users to run the<br>
> add-user script.<br>
> This would achieve two goals:<br>
> - secure out-of-the-box configuration, which is always a good idea<br>
> - access to the "protected" schema and script caches which is prevented<br>
> when not on loopback on non-authenticated endpoints.<br>
><br>
> Tristan<br>
<br>
--<br>
Tristan Tarrant<br>
Infinispan Lead<br>
JBoss, a division of Red Hat<br>
______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
</div></div></blockquote></div><br></div></div></div></div>