Re: [keycloak-dev] Isn't SSL required a global setting?

From: "Bill Burke" <bburke(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Friday, 10 January, 2014 4:32:25 PM Subject: Re: [keycloak-dev] Isn't SSL required a global setting? "Require SSL" is mainly used to force application/oauth redirect URLs to be HTTPS endpoints. Otherwise, auth codes (not tokens) are transmitted in the clear back to the application. A nice side-effect is that if the admin forgets to set up web.xml, the token service will barf too :) On 1/10/2014 11:24 AM, Stian Thorgersen wrote: > At the moment we have a SSL required setting per-realm. I was thinking that > it should be a global configuration for a Keycloak server. In production > all requests to a Keycloak server should be over https, while in > development it should be possible to use http for simplicity. That's not a > per-realm thing IMO. > > If it's ok that it's a global config, we can drop it from the realm and > instead add: > > <security-constraint> > <web-resource-collection> > <web-resource-name>keycloak</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > To the web.xml in the distribution. In the documentation we should then > have two options, first how to configure SSL on WildFly, second how to > allow HTTP (with a warning that it's only for development!). > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev