10:15 a.m.
This is pretty tricky if we want a nice error page. Especially as we need to know the
realm to know the login theme.
I'm dropping this, and instead adding RealmModel.isSslNotRequiredLocalRequest. By
default isSslNotRequired will be false, while isSslNotRequiredLocalRequest will be true.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 31 July, 2014 2:04:47 PM
Subject: Re: [keycloak-dev] Enable SSL by default
I propose we remove the SSL required switch on the Realm. Instead we have an
option to configure SSL requirement in keycloak-server.json, which also
allows excluding IP addresses.
Default config would be:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1" ]
}
}
If someone wants to allow local network traffic without https they could
change it to:
{
"https": {
"required" : true,
"exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
}
}
And of course if someone really wants to they can disable it altogether with:
{
"https": {
"required" : false,
"exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
}
}
If no config is specified I think it should default to required: true, with
empty exclude.
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 31 July, 2014 1:53:48 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
>
> So hardcode the localhost requirement? That would work. The switch
> would be "require ssl" or "non-encrypted localhost only"
>
> On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> > To make sure no-one goes of and uses Keycloak in production without HTTPS
> > we should require SSL by default. To still allow developers to play with
> > Keycloak without having to configure HTTPS first we should allow
> > non-HTTPS
> > if accessed via localhost only.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev