[keycloak-dev] Enable SSL by default

Stian Thorgersen stian at redhat.com
Thu Jul 31 11:15:40 EDT 2014 

This is pretty tricky if we want a nice error page. Especially as we need to know the realm to know the login theme.

I'm dropping this, and instead adding RealmModel.isSslNotRequiredLocalRequest. By default isSslNotRequired will be false, while isSslNotRequiredLocalRequest will be true.

----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 31 July, 2014 2:04:47 PM
> Subject: Re: [keycloak-dev] Enable SSL by default
> 
> I propose we remove the SSL required switch on the Realm. Instead we have an
> option to configure SSL requirement in keycloak-server.json, which also
> allows excluding IP addresses.
> 
> Default config would be:
> 
>   {
>     "https": {
>        "required" : true,
>        "exclude": [ "localhost", "127.0.0.1" ]
>     }
>   }
> 
> If someone wants to allow local network traffic without https they could
> change it to:
> 
>   {
>     "https": {
>        "required" : true,
>        "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
>     }
>   }
> 
> And of course if someone really wants to they can disable it altogether with:
> 
>   {
>     "https": {
>        "required" : false,
>        "exclude": [ "localhost", "127.0.0.1", "10.9.10.*" ]
>     }
>   }
> 
> If no config is specified I think it should default to required: true, with
> empty exclude.
> 
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Thursday, 31 July, 2014 1:53:48 PM
> > Subject: Re: [keycloak-dev] Enable SSL by default
> > 
> > So hardcode the localhost requirement?  That would work.  The switch
> > would be "require ssl" or "non-encrypted localhost only"
> > 
> > On 7/31/2014 5:40 AM, Stian Thorgersen wrote:
> > > To make sure no-one goes of and uses Keycloak in production without HTTPS
> > > we should require SSL by default. To still allow developers to play with
> > > Keycloak without having to configure HTTPS first we should allow
> > > non-HTTPS
> > > if accessed via localhost only.
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >
> > 
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list