liudezhi2098 commented on PR #15121: URL: https://github.com/apache/pulsar/pull/15121#issuecomment-1100014509
> Having a constant secret looks like a security hole to me. > > Can you please explain more? @eolivelli becasue DefaultAsyncHttpClient will automatic request redirect url , and use current SaslRoleToken, there is currently no place to modify, so requesting to another broker, the saslRoleTokenSigner check failed. If you use rest api, it will also cause this problem, having a constant secret , there will be certain security risks, but the key is stored on the broker side, and the client side does get. eg : ``` DefaultAsyncHttpClientConfig.Builder confBuilder = new DefaultAsyncHttpClientConfig.Builder(); confBuilder.setFollowRedirect(true); ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
