Re: [jboss-as7-dev] Secure HTTP API Endpoint

Yes the sample posted was for a quick out of the box config, in addition to that for the separation of configuration we do also have a properties file based approach. Both will support an obfuscated form of the password and once I have had a chance to review the SASL mechanisms used in the Remoting integration I will be looking to store these as pre-prepared hashes which if compromised would only be useable for a specific user against a specific security realm. If a single user used the same password against multiple realms then the hash would not be usable against the other realms. Regards, Darran Lofthouse. On 05/26/2011 03:51 PM, Andrig Miller wrote: > I know that from the security side of things, we are trying to make sure that usernames and passwords don't end up in configuration files. > > I think we should rope in Anil and company into this discussion. > > Andy > > ----- Original Message ----- >> From: "Heiko Braun"<hbraun(a)redhat.com> >> To: "Remy Maucherat"<rmaucher(a)redhat.com> >> Cc: jboss-as7-dev(a)lists.jboss.org >> Sent: Thursday, May 26, 2011 1:57:08 AM >> Subject: Re: [jboss-as7-dev] Secure HTTP API Endpoint >> >> >> In general I would agree with your approach. >> >> But AFAIK the HTTP API endpoint doesn't support authorization >> schemes. >> So no roles in this case. >> >> On May 26, 2011, at 9:39 AM, Remy Maucherat wrote: >> >>> The right solution is to require some special role for any admin or >>> management operations, but not provide any default user having it. >>> So, >>> locked down by default. >> >> _______________________________________________ >> jboss-as7-dev mailing list >> jboss-as7-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev >> > _______________________________________________ > jboss-as7-dev mailing list > jboss-as7-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/jboss-as7-dev