<div dir="ltr">On Mon, Apr 3, 2017 at 1:52 PM, Sebastian Laskawiec <span dir="ltr"><<a href="mailto:slaskawi@redhat.com" target="_blank">slaskawi@redhat.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">That's actually a very good point but it deserves separate discussion I think.</div><div dir="ltr" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg"><br></div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">The point is that we get an initialized SSLEngine from WF. Then we simply build Netty's JdkSslContext [1] (as you probably know, Netty uses its own SSLContext; this JdkSslContext class acts as a bridge between Netty (it implements Netty's SslContext) and JDK (it can be created from JDK's SSLContext) world). </div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg"><br></div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">So if we want to depend on WF/Elytron-based SSL initialization, we need to either stick to JDK's SSLContext or implement our own JDK's SSLContext/Netty's OpenSSLContext [2] bridge. I created a JIRA [3] to implement this.</div></div></blockquote><div><br><br></div><div>AFAICT, Wildfly 11 should export a "org.wildfly.security.ssl-<wbr>context" capability to allow plugging in custom engines.<br><br></div><div>Gustavo<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg"><br></div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">[1] <a href="https://github.com/infinispan/infinispan/blob/fd3061a684c13aa7c22d215f43910735bf7ff4a6/server/router/src/main/java/org/infinispan/server/router/router/impl/hotrod/handlers/util/SslUtils.java#L35" target="_blank">https://github.com/infinis<wbr>pan/infinispan/blob/fd3061a684<wbr>c13aa7c22d215f43910735bf7ff4a6<wbr>/server/router/src/main/java/<wbr>org/infinispan/server/router/<wbr>router/impl/hotrod/handlers/<wbr>util/SslUtils.java#L35</a></div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">[2] <a href="https://github.com/netty/netty/blob/a2304287a170dc14031928d6d2a3374705305839/handler/src/main/java/io/netty/handler/ssl/OpenSslContext.java" target="_blank">https://github.com/netty/n<wbr>etty/blob/a2304287a170dc140319<wbr>28d6d2a3374705305839/handler/<wbr>src/main/java/io/netty/<wbr>handler/ssl/OpenSslContext.<wbr>java</a></div><div class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">[3] <a href="https://issues.jboss.org/browse/ISPN-7694" target="_blank">https://issues.jboss.org/b<wbr>rowse/ISPN-7694</a></div><div><div class="m_1592481373720628131gmail-h5"><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg"><div class="gmail_quote m_1592481373720628131gmail-m_-775208718858219801gmail_msg"><div dir="ltr" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">On Fri, Mar 31, 2017 at 6:02 PM Tristan Tarrant <<a href="mailto:ttarrant@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">ttarrant@redhat.com</a>> wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg"></div><blockquote class="gmail_quote m_1592481373720628131gmail-m_-775208718858219801gmail_msg" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">You want to use OpenSSL with Netty:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<a href="http://netty.io/wiki/requirements-for-4.x.html#wiki-h4-4" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">http://netty.io/wiki/requireme<wbr>nts-for-4.x.html#wiki-h4-4</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
Tristan<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
On 31/03/2017 15:55, Sebastian Laskawiec wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Unfortunately TLS still slows down stuff (a lot). When I was doing tests<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> for the multi-tenancy router (which is based on TLS/SNI), my average<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> results were like this:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Use-caseTypeAvgError<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionAndPerform10KPut<wbr>sSingleServerNoSsl1034.81714.4<wbr>24<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionAndPerform10KPut<wbr>sSingleServerWithSsl1567.55324<wbr>.872<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionAndPerform10KPut<wbr>sTwoServersWithSslSni1563.2293<wbr>4.05<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionOnlySingleServer<wbr>NoSsl*3.389*0.198<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionOnlySingleServer<wbr>WithSsl*14.086*0.794<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> initConnectionOnlyTwoServersWi<wbr>thSslSni*14.722*0.684<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> perform10KPutsSingleServerNoSs<wbr>l*4.602*0.585<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> perform10KPutsSingleServerWith<wbr>Ssl*16.583*0.198<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> perform10KPutsTwoServersWithSs<wbr>lSni*17.02*0.794<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> This is nothing new, but initializing Hot Rod connection took was ~4<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> times slower and putting 10K random strings (UUIDs) was also ~4 times<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> slower. But what's worth to mention, there is no significant difference<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> between TLS and TLS+SNI.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> As far as I know, it is possible to install specialized hardware to deal<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> with encryption in data centers. It is called SSL Acceleration [1].<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> However I'm not aware of any special processor instructions that can<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> help you with that. But the implementations are getting better and<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> better, so who knows...<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> But getting back to the original question, I think the problem we are<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> trying to solve (correct me if I'm wrong) is to prevent unauthorized<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> folks to put their hands on a victims data (either pushing something<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> malicious/corrupted to the cache or obtaining something from the cache).<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Another problem is transmission security - encryption. If we want our<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> new devs to be secured out of the box, I think we should do both - use<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> TLS (without trusting all certificated) and authentication. This makes<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Infinispan harder to use of course. So the other extremum is to turn<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> both things off.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> I voted for the latter, making Infinispan super easy to use. But you<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> guys convinced me that we should care about the security in this case<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> too, so I would use PLAIN authentication + TLS. I would also love to see<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> one magic switch, for example `./bin/standalone.sh --dev-mode`, which<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> would turn all security off.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Thanks,<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Sebastian<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> [1] <a href="https://en.wikipedia.org/wiki/SSL_acceleration" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://en.wikipedia.org/wiki/<wbr>SSL_acceleration</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> On Thu, Mar 30, 2017 at 9:22 PM Dan Berindei <<a href="mailto:dan.berindei@gmail.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">dan.berindei@gmail.com</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:dan.berindei@gmail.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">dan.berindei@gmail.com</a><wbr>>> wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> I agree with Radim, PLAIN authentication without encryption makes it<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> too easy to sniff the password from another machine.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> I have no idea how expensive SSL encryption is in WildFly, but I think<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> all recent processors have specialized instructions for helping with<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> encryption, so it may not be that bad.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Even with encryption, if the client trusts all certs, it may be<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> possible for an attacker to insert itself in the middle and decode<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> everything -- depending on network topology and what kind of access<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> the attacker already has. I think it only makes sense to trust all<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> certs if we also implement something like HPKP [1], to make it more<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> like ssh.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> [1]: <a href="https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://en.wikipedia.org/wiki/<wbr>HTTP_Public_Key_Pinning</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Cheers<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> Dan<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> On Thu, Mar 30, 2017 at 7:07 PM, Wolf Fink <<a href="mailto:wfink@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">wfink@redhat.com</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:wfink@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">wfink@redhat.com</a>>> wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > +1 to make the default secure.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > -1 SSL by default as it makes it slower and I think not most will<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> use it<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > -1 easy trust all certs, That sounds to me we close one door and<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> make it<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > possible to open another one<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > What if we add an example configuration unsecured which can be<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> simple copied<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > for examples and to start.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > On Thu, Mar 30, 2017 at 5:31 PM, Dennis Reed <<a href="mailto:dereed@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">dereed@redhat.com</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:dereed@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">dereed@redhat.com</a>>> wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> +1 to authentication and encryption by default.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> This is 2017, that's how *everything* should be configured.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> -1 to making it easy to trust all certs. That negates the point of<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> using encryption in the first place and should really never be done.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> If it's too hard to configure the correct way that we think it would<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> turn users away, that's a usability problem that needs to be fixed.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> -Dennis<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> On 03/30/2017 09:29 AM, Tristan Tarrant wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > While the "unsecure" over loopback is quite tempting, I would<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> prefer to<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > have homogeneous behaviour with the possibility to disable<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> security<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > altogether for quick demos.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > Otherwise a developer would need to code differently for the<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> local use<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > case than for the remote one, causing more confusion.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > Tristan<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> > On 30/03/2017 14:54, Sebastian Laskawiec wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> I agree the security out of the box is good. But at the same<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> time we<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> don't want to make Infinispan harder to use for new<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> developers. Out of<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> the box configuration should be "good enough" to start hacking.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> I would propose to make all the endpoints unprotected (with<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> authentication disabled) on localhost/loopback and protected when<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> calling from the outside world.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <<a href="mailto:ttarrant@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">ttarrant@redhat.com</a> <mailto:<a href="mailto:ttarrant@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">ttarrant@redhat.com</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <mailto:<a href="mailto:ttarrant@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">ttarrant@redhat.com</a> <mailto:<a href="mailto:ttarrant@redhat.com" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">ttarrant@redhat.com</a>>>> wrote:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> Dear all,<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> after a mini chat on IRC, I wanted to bring this to<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> everybody's<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> attention.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> We should make the Hot Rod endpoint require<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> authentication in the<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> out-of-the-box configuration.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> The proposal is to enable the PLAIN (or, preferably,<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> DIGEST) SASL<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> mechanism against the ApplicationRealm and require users<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> to run the<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> add-user script.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> This would achieve two goals:<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> - secure out-of-the-box configuration, which is always a<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> good idea<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> - access to the "protected" schema and script caches which is<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> prevented<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> when not on loopback on non-authenticated endpoints.<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> Tristan<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> --<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> Tristan Tarrant<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> Infinispan Lead<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> JBoss, a division of Red Hat<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> _____________________________<wbr>__________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.<wbr>jboss.org</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.j<wbr>boss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.<wbr>jboss.org</a>>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> ______________________________<wbr>_________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.<wbr>jboss.org</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> >><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> ______________________________<wbr>_________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.<wbr>jboss.org</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> >> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > ______________________________<wbr>_________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.<wbr>jboss.org</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> > <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> _____________________________<wbr>__________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.or<wbr>g</a> <mailto:<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.j<wbr>boss.org</a>><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailm<wbr>an/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> ______________________________<wbr>_________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
> <a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
--<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
Tristan Tarrant<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
Infinispan Lead<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
JBoss, a division of Red Hat<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
______________________________<wbr>_________________<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
infinispan-dev mailing list<br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<a href="mailto:infinispan-dev@lists.jboss.org" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">infinispan-dev@lists.jboss.org</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br class="m_1592481373720628131gmail-m_-775208718858219801gmail_msg">
</blockquote></div></div></div></div>
<br>______________________________<wbr>_________________<br>
infinispan-dev mailing list<br>
<a href="mailto:infinispan-dev@lists.jboss.org" target="_blank">infinispan-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/infinispan-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailma<wbr>n/listinfo/infinispan-dev</a><br></blockquote></div><br></div></div>