<div dir="ltr"><div><div><div>+1 to make the default secure.<br></div><br>-1 SSL by default as it makes it slower and I think not most will use it<br><br></div>-1 easy trust all certs, That sounds to me we close one door and make it possible to open another one<br><br><br></div>What if we add an example configuration unsecured which can be simple copied for examples and to start.<br><div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 30, 2017 at 5:31 PM, Dennis Reed <span dir="ltr"><<a href="mailto:dereed@redhat.com" target="_blank">dereed@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">+1 to authentication and encryption by default.<br>
This is 2017, that's how *everything* should be configured.<br>
<br>
-1 to making it easy to trust all certs. That negates the point of<br>
using encryption in the first place and should really never be done.<br>
<br>
If it's too hard to configure the correct way that we think it would<br>
turn users away, that's a usability problem that needs to be fixed.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Dennis<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
On 03/30/2017 09:29 AM, Tristan Tarrant wrote:<br>
> While the "unsecure" over loopback is quite tempting, I would prefer to<br>
> have homogeneous behaviour with the possibility to disable security<br>
> altogether for quick demos.<br>
> Otherwise a developer would need to code differently for the local use<br>
> case than for the remote one, causing more confusion.<br>
><br>
> Tristan<br>
><br>
> On 30/03/2017 14:54, Sebastian Laskawiec wrote:<br>
>> I agree the security out of the box is good. But at the same time we<br>
>> don't want to make Infinispan harder to use for new developers. Out of<br>
>> the box configuration should be "good enough" to start hacking.<br>
>><br>
>> I would propose to make all the endpoints unprotected (with<br>
>> authentication disabled) on localhost/loopback and protected when<br>
>> calling from the outside world.<br>
>><br>
>> On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <<a href="mailto:ttarrant@redhat.com">ttarrant@redhat.com</a><br>
>> <mailto:<a href="mailto:ttarrant@redhat.com">ttarrant@redhat.com</a>>> wrote:<br>
>><br>
>> Dear all,<br>
>><br>
>> after a mini chat on IRC, I wanted to bring this to everybody's<br>
>> attention.<br>
>><br>
>> We should make the Hot Rod endpoint require authentication in the<br>
>> out-of-the-box configuration.<br>
>> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL<br>
>> mechanism against the ApplicationRealm and require users to run the<br>
>> add-user script.<br>
>> This would achieve two goals:<br>
>> - secure out-of-the-box configuration, which is always a good idea<br>
>> - access to the "protected" schema and script caches which is prevented<br>
>> when not on loopback on non-authenticated endpoints.<br>
>><br>
>> Tristan<br>
>> --<br>
>> Tristan Tarrant<br>
>> Infinispan Lead<br>
>> JBoss, a division of Red Hat<br>
>> ______________________________<wbr>_________________<br>
>> infinispan-dev mailing list<br>
>> <a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.<wbr>jboss.org</a>><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
>><br>
>><br>
>><br>
>> ______________________________<wbr>_________________<br>
>> infinispan-dev mailing list<br>
>> <a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
>><br>
><br>
______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/infinispan-<wbr>dev</a><br>
</div></div></blockquote></div><br></div>