Re: [wildfly-dev] Push for CORS in WildFly 8
On 12/11/2013 7:26 AM, Darran Lofthouse wrote:
On 11/12/13 10:53, Heiko Braun wrote:
> yes, but this is not true for digest auth. there are actually very few
> client environments that fully support digest out of the box.
>
> so i would say, this argument doesn't count as digest is not any less
> complicated to use then any other more sophisticated auth mechanism.
>
> I agree to the TLS argument: for most other auth mechanisms i looked at
> it seems to be requirement indeed.
> But can you elaborate why we cannot ship certificates (out of the box)
What you are talking about here is encrypting traffic with a key which
is public knowledge.
> that need to be replaced in production environments?
We know that will not happen in many installations - guaranteed!
This is why I've argued before on the TAG that wildfly should generate
SSL keys/certs on initial boot by default. Just generate a key
pair/cert that will only work for "localhost".
For development, the user has something that works out of the box that
they can test HTTPS/SSL with, instead of figuring out the lengthy and
often confusing SSL setup steps. (Our own docs have been really really
crappy in this area, btw).
For production, since the generated cert would only work for
"localhost", the admin would be pretty much forced to install SSL
correctly (or figure out how to turn it off) if they want to run
anywhere outside of development.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com