[jboss-as7-dev] Secure HTTP API Endpoint

Heiko Braun hbraun at redhat.com
Tue May 31 07:59:04 EDT 2011


Still, none of these concerns have anserwered my initial question. Will it be secured by default? Who takes care of it? Where will it be documented?




On May 31, 2011, at 10:50, Darran Lofthouse <darran.lofthouse at jboss.com> wrote:

> Yes the sample posted was for a quick out of the box config, in addition to that for the separation of configuration we do also have a properties file based approach.
> 
> Both will support an obfuscated form of the password and once I have had a chance to review the SASL mechanisms used in the Remoting integration I will be looking to store these as pre-prepared hashes which if compromised would only be useable for a specific user against a specific security realm.  If a single user used the same password against multiple realms then the hash would not be usable against the other realms.
> 
> Regards,
> Darran Lofthouse.
> 
> 
> 
> On 05/26/2011 03:51 PM, Andrig Miller wrote:
>> I know that from the security side of things, we are trying to make sure that usernames and passwords don't end up in configuration files.
>> 
>> I think we should rope in Anil and company into this discussion.
>> 
>> Andy
>> 
>> ----- Original Message -----
>>> From: "Heiko Braun"<hbraun at redhat.com>
>>> To: "Remy Maucherat"<rmaucher at redhat.com>
>>> Cc: jboss-as7-dev at lists.jboss.org
>>> Sent: Thursday, May 26, 2011 1:57:08 AM
>>> Subject: Re: [jboss-as7-dev] Secure HTTP API Endpoint
>>> 
>>> 
>>> In general I would agree with your approach.
>>> 
>>> But AFAIK the HTTP API endpoint doesn't support authorization
>>> schemes.
>>> So no roles in this case.
>>> 
>>> On May 26, 2011, at 9:39 AM, Remy Maucherat wrote:
>>> 
>>>> The right solution is to require some special role for any admin or
>>>> management operations, but not provide any default user having it.
>>>> So,
>>>> locked down by default.
>>> 
>>> _______________________________________________
>>> jboss-as7-dev mailing list
>>> jboss-as7-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>> 
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
> 



More information about the jboss-as7-dev mailing list