On 10/31/2014 4:15 AM, Stian Thorgersen wrote:

Looks good to me. We should include this in Beta1.

A few comments/questions:

* Can we support enabling confidential transport-guarantee (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems to be the last requirement for an exploded WAR

Looking this over, it seems pretty important! I think I'd like to go ahead and implement this option before we merge. I should be able to do that and also finish the doc updates by the middle of next week. Just go ahead and release the Beta if you want. I can catch the next release train.

I plan to implement this as a boolean value on on the server called "https-required".   Is there a better name for it?
<subsystem xmlns="urn:jboss:domain:keycloak:1.0">
            <auth-server name="foo">
                <enabled>true</enabled>
                <web-context>auth</web-context>
                <https-required>true</https-required>
            </auth-server>
</subsystem>

Should the default be false? I realize that the default in the appliance dist is false, but should the default always be false?

If true, this will be automatically added to auth-server.war at deploy time:

<security-constraint>
   <web-resource-collection>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
</security-constraint>