[jboss-as7-dev] How hard would it be to support key based auth by default to make life simpler and more secure ?

[Max Rydahl Andersen]

Hi,

Been thinking about the new username/password requirements.

These will make all examples that uses maven deploy plugin, cli scripts, arquillian, jboss tools etc. to somehow
either tell users to type in their username and full password in clear text in pom.xml and other files.

Which sounds worse to me than a default locked down to only localhost…but I'm not a security expert :)

I was wondering how hard it would be to make the authentication support key based auth by default and we make
the tools use ${user.name} and ${user.home}/.jboss/default.pub and .priv (or some other name) for the public/private keys ?

Then the tooling (cli, IDE plugins etc.) could create these by default and examples could use ${user.name} and ${user.home}/.jboss/default.pub as
the preconfigured parameters.

The examples would run out of the box and it would be limited to work from the machine that actually got the right key ( simpler and more secure)
vs to the current AS7.1 master solution where examples won't run out of the box and when configured will run from anywhere - i.e. harder and less secure)

WDYT ?

/max
http://about.me/maxandersen