[keycloak-dev] bundle an SMTP server?

Bill Burke bburke at redhat.com
Fri Nov 8 11:50:29 EST 2013 


On 11/8/2013 11:40 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: "Stian Thorgersen" <stian at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Friday, 8 November, 2013 4:27:51 PM
>> Subject: Re: [keycloak-dev] bundle an SMTP server?
>>
>>
>>
>> On 11/8/2013 5:42 AM, Stian Thorgersen wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>> Cc: keycloak-dev at lists.jboss.org
>>>> Sent: Tuesday, 5 November, 2013 4:21:54 PM
>>>> Subject: Re: [keycloak-dev] bundle an SMTP server?
>>>>
>>>> I disagree.  Users aren't going to download Keycloak and immediately use
>>>> it in production.  Autogenerated self-signed SSL certs, an SMTP server,
>>>> and a preconfigured DB all make sense as then the user can immediately
>>>> use keycloak in development and configure certs, db, etc. later when
>>>> they want to run it in production.
>>>
>>> Why would a developer need SSL? There's a good reason why I wouldn't want
>>> to have a self-signed cert while doing dev/test and that's the fact that
>>> the browser will keep bugging you telling you that the certificate is not
>>> valid. I think Firefox let's you accept the certificate permanently, but
>>> Chrome will just keep bugging you over and over again.
>>>
>>
>> This is from JBoss experiences.  You want to lock down your server as
>> much as possible OOTB, well, because many users are stupid.  For
>> example, The Server Side deployed on JBoss years ago and they forgot to
>> secure the JBoss admin console. So.... random people kept shutting down
>> theserverside.com :)  (No, I swear I'm not guilty of this!!!).  JBoss
>> got the perception (from stupid analysts) that we were insecure.
>
> I remember that shit - it was even possible to Google for unsecured JBoss consoles :)
>
> With that in mind enabling SSL by default makes sense - I didn't consider the fact that idiots will deploy it as is, thinking that it should just work for production straight away.
>

There were some other funny things too like "JBoss doesn't scale!" 
Well...the default OOTB allowed web connections were 10.

>
> True - but if people want to deploy (and manage) it internally wouldn't you then assume some level of understanding of how to set-up the required environment (db + smtp)?
>

I've been burned multiple times assuming users have a clue, so I assume 
they are clueless.

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list