[infinispan-dev] Hot Rod secured by default
Tristan Tarrant
ttarrant at redhat.com
Thu Mar 30 08:39:07 EDT 2017
Let me add another item:
combined with Sebastian's PR [1] we could also turn on encryption by
default using a self-signed certificate. We would also need to have an
easy option (i.e. a boolean, false by default) on the Hot Rod clients to
trust all certs.
This means that a Hot Rod client would need to be configured as follows:
ConfigurationBuilder clientBuilder = new ConfigurationBuilder();
clientBuilder
.security()
.authentication()
.username("user").realm("realm").password("password")
.ssl()
.enable().trustAll(true);
without having to manually set up callback handlers or trustmanagers.
I don't think this would affect the user experience too much.
Tristan
[1] https://github.com/infinispan/infinispan/pull/5036
On 30/03/2017 14:25, Tristan Tarrant wrote:
> Dear all,
>
> after a mini chat on IRC, I wanted to bring this to everybody's attention.
>
> We should make the Hot Rod endpoint require authentication in the
> out-of-the-box configuration.
> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
> mechanism against the ApplicationRealm and require users to run the
> add-user script.
> This would achieve two goals:
> - secure out-of-the-box configuration, which is always a good idea
> - access to the "protected" schema and script caches which is prevented
> when not on loopback on non-authenticated endpoints.
>
> Tristan
--
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat
More information about the infinispan-dev
mailing list