<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 10/31/2014 4:15 AM, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:862337823.4657452.1414743322139.JavaMail.zimbra@redhat.com"
type="cite">
<pre wrap="">Looks good to me. We should include this in Beta1.
A few comments/questions:
* Can we support enabling confidential transport-guarantee (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems to be the last requirement for an exploded WAR</pre>
</blockquote>
Looking this over, it seems pretty important! I think I'd like to
go ahead and implement this option before we merge. I should be
able to do that and also finish the doc updates by the middle of
next week. Just go ahead and release the Beta if you want. I can
catch the next release train.<br>
<br>
I plan to implement this as a boolean value on on the server called
"https-required". Is there a better name for it?<br>
<subsystem xmlns="urn:jboss:domain:keycloak:1.0"><br>
<auth-server name="foo"><br>
<enabled>true</enabled><br>
<web-context>auth</web-context><br>
<https-required>true</https-required><br>
</auth-server><br>
</subsystem><br>
<br>
Should the default be false? I realize that the default in the
appliance dist is false, but should the default always be false?<br>
<br>
If true, this will be automatically added to auth-server.war at
deploy time:<br>
<a id="d4e327">
<pre xmlns="" xmlns:d="http://docbook.org/ns/docbook" xmlns:rf="java:org.jboss.highlight.XhtmlRendererFactory" class=""><security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</pre>
</a><br>
</body>
</html>