<div dir="ltr">I agree the security out of the box is good. But at the same time we don't want to make Infinispan harder to use for new developers. Out of the box configuration should be "good enough" to start hacking.<div><br></div><div>I would propose to make all the endpoints unprotected (with authentication disabled) on localhost/loopback and protected when calling from the outside world. </div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <<a href="mailto:ttarrant@redhat.com">ttarrant@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear all,<br class="gmail_msg">
<br class="gmail_msg">
after a mini chat on IRC, I wanted to bring this to everybody's attention.<br class="gmail_msg">
<br class="gmail_msg">
We should make the Hot Rod endpoint require authentication in the<br class="gmail_msg">
out-of-the-box configuration.<br class="gmail_msg">
The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL<br class="gmail_msg">
mechanism against the ApplicationRealm and require users to run the<br class="gmail_msg">
add-user script.<br class="gmail_msg">
This would achieve two goals:<br class="gmail_msg">
- secure out-of-the-box configuration, which is always a good idea<br class="gmail_msg">
- access to the "protected" schema and script caches which is prevented<br class="gmail_msg">
when not on loopback on non-authenticated endpoints.<br class="gmail_msg">
<br class="gmail_msg">
Tristan<br class="gmail_msg">
--<br class="gmail_msg">
Tristan Tarrant<br class="gmail_msg">
Infinispan Lead<br class="gmail_msg">
JBoss, a division of Red Hat<br class="gmail_msg">
_______________________________________________<br class="gmail_msg">
infinispan-dev mailing list<br class="gmail_msg">
<a href="mailto:infinispan-dev@lists.jboss.org" class="gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="gmail_msg">
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.jboss.org/mailman/listinfo/infinispan-dev</a><br class="gmail_msg">
</blockquote></div>