[keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem

Stian Thorgersen stian at redhat.com
Mon Nov 3 03:19:15 EST 2014 


----- Original Message -----
> From: "Stan Silvert" <ssilvert at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Friday, 31 October, 2014 7:42:34 PM
> Subject: Re: [keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
> 
> On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
> > Looks good to me. We should include this in Beta1.
> >
> > A few comments/questions:
> >
> > * Can we support enabling confidential transport-guarantee
> > (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems to
> > be the last requirement for an exploded WAR
> Looking this over, it seems pretty important!  I think I'd like to go
> ahead and implement this option before we merge.  I should be able to do
> that and also finish the doc updates by the middle of next week.  Just
> go ahead and release the Beta if you want.  I can catch the next release
> train.
> 
> I plan to implement this as a boolean value on on the server called
> "https-required".   Is there a better name for it?
> <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
>              <auth-server name="foo">
>                  <enabled>true</enabled>
>                  <web-context>auth</web-context>
>                  <https-required>true</https-required>
>              </auth-server>
> </subsystem>
> 
> Should the default be false?  I realize that the default in the
> appliance dist is false, but should the default always be false?

We already have the option 'ssl-required' on a realm, so that may be confusing. What about 'redirect-non-ssl'?

It shouldn't be on by default, as that would require setting up ssl for development as well. We have the 'ssl-required' set to 'external' to give us a compromise between usability and security.

> 
> If true, this will be automatically added to auth-server.war at deploy time:
> 
> <security-constraint>
>     <web-resource-collection>
>        <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <user-data-constraint>
>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
> </security-constraint>
> 
> 
> 
>

More information about the keycloak-dev mailing list