[keycloak-dev] Enable SSL by default
Bruno Oliveira
bruno at abstractj.org
Thu Jul 31 07:44:27 EDT 2014
+1 on make it global, I don't see any use case for disabling SSL per
realm.
On 2014-07-31, Stian Thorgersen wrote:
> ----- Original Message -----
> > From: "Bruno Oliveira" <bruno at abstractj.org>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: "keycloak dev" <keycloak-dev at lists.jboss.org>
> > Sent: Thursday, 31 July, 2014 11:11:44 AM
> > Subject: Re: [keycloak-dev] Enable SSL by default
> >
> > +1 on enforcing it. Do we have any plans around HSTS? Or this is
> > something that sysadmins should configure into their servers?
>
> Currently we have an option to disable SSL for each realm (enabled by default), adding HSTS could be tricky as we'd need to know what the option in KC.
>
> I'm not convinced we should have the option to disable SSL per-realm, instead we could make it into a global option for the whole server. A server is either in dev or production mode, I don't see a use-case to have one secure realm and one unsecure at the same time. That would make it a lot simpler to set the HSTS header in a jax-rs filter, also make it easier for us to check if SSL (for all requests) is enabled in the jax-rs filter.
>
> >
> > On 2014-07-31, Stian Thorgersen wrote:
> > > To make sure no-one goes of and uses Keycloak in production without HTTPS
> > > we should require SSL by default. To still allow developers to play with
> > > Keycloak without having to configure HTTPS first we should allow non-HTTPS
> > > if accessed via localhost only.
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> >
--
abstractj
PGP: 0x84DC9914
More information about the keycloak-dev
mailing list