[infinispan-dev] Hot Rod secured by default

Tristan Tarrant ttarrant at redhat.com
Thu Mar 30 09:29:18 EDT 2017 

While the "unsecure" over loopback is quite tempting, I would prefer to 
have homogeneous behaviour with the possibility to disable security 
altogether for quick demos.
Otherwise a developer would need to code differently for the local use 
case than for the remote one, causing more confusion.

Tristan

On 30/03/2017 14:54, Sebastian Laskawiec wrote:
> I agree the security out of the box is good. But at the same time we 
> don't want to make Infinispan harder to use for new developers. Out of 
> the box configuration should be "good enough" to start hacking.
> 
> I would propose to make all the endpoints unprotected (with 
> authentication disabled) on localhost/loopback and protected when 
> calling from the outside world.
> 
> On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <ttarrant at redhat.com 
> <mailto:ttarrant at redhat.com>> wrote:
> 
>     Dear all,
> 
>     after a mini chat on IRC, I wanted to bring this to everybody's
>     attention.
> 
>     We should make the Hot Rod endpoint require authentication in the
>     out-of-the-box configuration.
>     The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL
>     mechanism against the ApplicationRealm and require users to run the
>     add-user script.
>     This would achieve two goals:
>     - secure out-of-the-box configuration, which is always a good idea
>     - access to the "protected" schema and script caches which is prevented
>     when not on loopback on non-authenticated endpoints.
> 
>     Tristan
>     --
>     Tristan Tarrant
>     Infinispan Lead
>     JBoss, a division of Red Hat
>     _______________________________________________
>     infinispan-dev mailing list
>     infinispan-dev at lists.jboss.org <mailto:infinispan-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/infinispan-dev
> 
> 
> 
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
> 

-- 
Tristan Tarrant
Infinispan Lead
JBoss, a division of Red Hat

More information about the infinispan-dev mailing list