[keycloak-dev] Enable SSL by default
Bill Burke
bburke at redhat.com
Fri Aug 1 09:25:38 EDT 2014
As usual, great stuff.
On 8/1/2014 8:55 AM, Stian Thorgersen wrote:
> Added, ssl-not-required has been replaced with ssl-required with valid options:
>
> * all - requires SSL for all requests
> * external - requires SSL for external requests (default)
> * none - don't require SSL at all
>
> Both the server and adapters have been updated.
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Thursday, 31 July, 2014 4:15:40 PM
>> Subject: Re: [keycloak-dev] Enable SSL by default
>>
>> This is pretty tricky if we want a nice error page. Especially as we need to
>> know the realm to know the login theme.
>>
>> I'm dropping this, and instead adding
>> RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be
>> false, while isSslNotRequiredLocalRequest will be true.
>>
>> ----- Original Message -----
>>> From: "Stian Thorgersen" <stian at redhat.com>
>>> To: "Bill Burke" <bburke at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Thursday, 31 July, 2014 2:04:47 PM
>>> Subject: Re: [keycloak-dev] Enable SSL by default
>>>
>>> I propose we remove the SSL required switch on the Realm. Instead we have
>>> an
>>> option to configure SSL requirement in keycloak-server.json, which also
>>> allows excluding IP addresses.
>>>
>>> Default config would be:
>>>
>>> {
>>> "https": {
>>> "required" : true,
>>> "exclude": [ "localhost", "127.0.0.1" ]
>>> }
>>> }
>>>
>>> If someone wants to allow local network traffic without https they could
>>> change it to:
>>>
>>> {
>>> "https": {
>>> "required" : true,
>>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
>>> }
>>> }
>>>
>>> And of course if someone really wants to they can disable it altogether
>>> with:
>>>
>>> {
>>> "https": {
>>> "required" : false,
>>> "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
>>> }
>>> }
>>>
>>> If no config is specified I think it should default to required: true, with
>>> empty exclude.
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke at redhat.com>
>>>> To: keycloak-dev at lists.jboss.org
>>>> Sent: Thursday, 31 July, 2014 1:53:48 PM
>>>> Subject: Re: [keycloak-dev] Enable SSL by default
>>>>
>>>> So hardcode the localhost requirement? That would work. The switch
>>>> would be "require ssl" or "non-encrypted localhost only"
>>>>
>>>> On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
>>>>> To make sure no-one goes of and uses Keycloak in production without
>>>>> HTTPS
>>>>> we should require SSL by default. To still allow developers to play
>>>>> with
>>>>> Keycloak without having to configure HTTPS first we should allow
>>>>> non-HTTPS
>>>>> if accessed via localhost only.
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>> --
>>>> Bill Burke
>>>> JBoss, a division of Red Hat
>>>> http://bill.burkecentral.com
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list