[jboss-jira] [JBoss JIRA] (WFLY-12095) Use HTTPS and only HTTPS for management interfaces in default configuration
Jan Stourac (Jira)
issues at jboss.org
Tue Jun 11 07:55:00 EDT 2019
[ https://issues.jboss.org/browse/WFLY-12095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Stourac updated WFLY-12095:
-------------------------------
Description:
Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration as it brings in more secure approach.
Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).
Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.
Such change will affect both Web-Console and also CLI so both will operate over HTTPS. In case of self-signed certificate - if not already added in trusted certs, one has to accept certificate during the first login/access via Web-Console or CLI.
was:
Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration.
Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).
Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.
> Use HTTPS and only HTTPS for management interfaces in default configuration
> ---------------------------------------------------------------------------
>
> Key: WFLY-12095
> URL: https://issues.jboss.org/browse/WFLY-12095
> Project: WildFly
> Issue Type: Enhancement
> Components: Management, Security
> Affects Versions: 16.0.0.Final
> Reporter: Jan Stourac
> Priority: Major
>
> Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration as it brings in more secure approach.
> Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).
> Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.
> Such change will affect both Web-Console and also CLI so both will operate over HTTPS. In case of self-signed certificate - if not already added in trusted certs, one has to accept certificate during the first login/access via Web-Console or CLI.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list