[keycloak-dev] Isn't SSL required a global setting?
Bill Burke
bburke at redhat.com
Fri Jan 10 11:32:25 EST 2014
"Require SSL" is mainly used to force application/oauth redirect URLs to
be HTTPS endpoints. Otherwise, auth codes (not tokens) are transmitted
in the clear back to the application. A nice side-effect is that if the
admin forgets to set up web.xml, the token service will barf too :)
On 1/10/2014 11:24 AM, Stian Thorgersen wrote:
> At the moment we have a SSL required setting per-realm. I was thinking that it should be a global configuration for a Keycloak server. In production all requests to a Keycloak server should be over https, while in development it should be possible to use http for simplicity. That's not a per-realm thing IMO.
>
> If it's ok that it's a global config, we can drop it from the realm and instead add:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>keycloak</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> To the web.xml in the distribution. In the documentation we should then have two options, first how to configure SSL on WildFly, second how to allow HTTP (with a warning that it's only for development!).
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list