7:55 a.m.
Added, ssl-not-required has been replaced with ssl-required with valid options:
* all - requires SSL for all requests
* external - requires SSL for external requests (default)
* none - don't require SSL at all
Both the server and adapters have been updated.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Thursday, 31 July, 2014 4:15:40 PM
Subject: Re: [keycloak-dev] Enable SSL by default
This is pretty tricky if we want a nice error page. Especially as we need to
know the realm to know the login theme.
I'm dropping this, and instead adding
RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be
false, while isSslNotRequiredLocalRequest will be true.
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Thursday, 31 July, 2014 2:04:47 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
>
> I propose we remove the SSL required switch on the Realm. Instead we have
> an
> option to configure SSL requirement in keycloak-server.json, which also
> allows excluding IP addresses.
>
> Default config would be:
>
> {
> "https": {
> "required" : true,
> "exclude": [ "localhost", "127.0.0.1" ]
> }
> }
>
> If someone wants to allow local network traffic without https they could
> change it to:
>
> {
> "https": {
> "required" : true,
> "exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
> }
> }
>
> And of course if someone really wants to they can disable it altogether
> with:
>
> {
> "https": {
> "required" : false,
> "exclude": [ "localhost", "127.0.0.1",
"10.9.10.*" ]
> }
> }
>
> If no config is specified I think it should default to required: true, with
> empty exclude.
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke(a)redhat.com>
> > To: keycloak-dev(a)lists.jboss.org
> > Sent: Thursday, 31 July, 2014 1:53:48 PM
> > Subject: Re: [keycloak-dev] Enable SSL by default
> >
> > So hardcode the localhost requirement? That would work. The switch
> > would be "require ssl" or "non-encrypted localhost only"
> >
> > On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> > > To make sure no-one goes of and uses Keycloak in production without
> > > HTTPS
> > > we should require SSL by default. To still allow developers to play
> > > with
> > > Keycloak without having to configure HTTPS first we should allow
> > > non-HTTPS
> > > if accessed via localhost only.
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev