[keycloak-dev] Notes on KEYCLOAK-795: Move Auth Server into KC subsystem
Bill Burke
bburke at redhat.com
Fri Oct 31 15:09:31 EDT 2014
How about confidential-transport-guarantee
On 10/31/2014 2:42 PM, Stan Silvert wrote:
> On 10/31/2014 4:15 AM, Stian Thorgersen wrote:
>> Looks good to me. We should include this in Beta1.
>>
>> A few comments/questions:
>>
>> * Can we support enabling confidential transport-guarantee (auth-server/WEB-INF/web.xml) without cracking open the WAR? This seems to be the last requirement for an exploded WAR
> Looking this over, it seems pretty important! I think I'd like to go
> ahead and implement this option before we merge. I should be able to do
> that and also finish the doc updates by the middle of next week. Just
> go ahead and release the Beta if you want. I can catch the next release
> train.
>
> I plan to implement this as a boolean value on on the server called
> "https-required". Is there a better name for it?
> <subsystem xmlns="urn:jboss:domain:keycloak:1.0">
> <auth-server name="foo">
> <enabled>true</enabled>
> <web-context>auth</web-context>
> <https-required>true</https-required>
> </auth-server>
> </subsystem>
>
> Should the default be false? I realize that the default in the
> appliance dist is false, but should the default always be false?
>
> If true, this will be automatically added to auth-server.war at deploy time:
>
> <security-constraint>
> <web-resource-collection>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list