While the "unsecure" over loopback is quite tempting, I would prefer to
have homogeneous behaviour with the possibility to disable security
altogether for quick demos.
Otherwise a developer would need to code differently for the local use
case than for the remote one, causing more confusion.
Tristan
On 30/03/2017 14:54, Sebastian Laskawiec wrote:
I agree the security out of the box is good. But at the same time we
don't want to make Infinispan harder to use for new developers. Out of
the box configuration should be "good enough" to start hacking.
I would propose to make all the endpoints unprotected (with
authentication disabled) on localhost/loopback and protected when
calling from the outside world.
On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <ttarrant(a)redhat.com
<mailto:ttarrant@redhat.com>> wrote:
Dear all,
after a mini chat on IRC, I wanted to bring this to everybody's
attention.
We should make the Hot Rod endpoint require authentication in the
out-of-the-box configuration.
The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
mechanism against the ApplicationRealm and require users to run the
add-user script.
This would achieve two goals:
- secure out-of-the-box configuration, which is always a good idea
- access to the "protected" schema and script caches which is prevented
when not on loopback on non-authenticated endpoints.
Tristan
--
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org <mailto:infinispan-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/infinispan-dev
_______________________________________________
infinispan-dev mailing list
infinispan-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat