Let me add another item:

combined with Sebastian's PR [1] we could also turn on encryption by
default using a self-signed certificate. We would also need to have an
easy option (i.e. a boolean, false by default) on the Hot Rod clients to
trust all certs.

This means that a Hot Rod client would need to be configured as follows:

ConfigurationBuilder clientBuilder = new ConfigurationBuilder();
clientBuilder
   .security()
     .authentication()
       .username("user").realm("realm").password("password")
     .ssl()
       .enable().trustAll(true);

without having to manually set up callback handlers or trustmanagers.

I don't think this would affect the user experience too much.

Tristan

[1] https://github.com/infinispan/infinispan/pull/5036

On 30/03/2017 14:25, Tristan Tarrant wrote:
> Dear all,
>
> after a mini chat on IRC, I wanted to bring this to everybody's attention.
>
> We should make the Hot Rod endpoint require authentication in the
> out-of-the-box configuration.
> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
> mechanism against the ApplicationRealm and require users to run the
> add-user script.
> This would achieve two goals:
> - secure out-of-the-box configuration, which is always a good idea
> - access to the "protected" schema and script caches which is prevented
> when not on loopback on non-authenticated endpoints.
>
> Tristan

--
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat
_______________________________________________
infinispan-dev mailing list
infinispan-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev