Re: [jboss-as7-dev] Secure HTTP API Endpoint
What we need are generic mechanisms to define identity information
(username/pass, x509 etc) in the security subsystem that can be
referenced by the other subsystems such as management. There is a dire
need to apply advanced encryption etc on the identity (if desired) in
the platforms. Let me discuss this with Marcus and get back.
Gone are the days where you could see a password in clear text.
I agree with Remy that we need to lock down the endpoint by default.
On 05/26/2011 09:51 AM, Andrig Miller wrote:
I know that from the security side of things, we are trying to make
sure that usernames and passwords don't end up in configuration files.
I think we should rope in Anil and company into this discussion.
Andy
----- Original Message -----
> From: "Heiko Braun"<hbraun(a)redhat.com>
> To: "Remy Maucherat"<rmaucher(a)redhat.com>
> Cc: jboss-as7-dev(a)lists.jboss.org
> Sent: Thursday, May 26, 2011 1:57:08 AM
> Subject: Re: [jboss-as7-dev] Secure HTTP API Endpoint
>
>
> In general I would agree with your approach.
>
> But AFAIK the HTTP API endpoint doesn't support authorization
> schemes.
> So no roles in this case.
>
> On May 26, 2011, at 9:39 AM, Remy Maucherat wrote:
>
>> The right solution is to require some special role for any admin or
>> management operations, but not provide any default user having it.
>> So,
>> locked down by default.