While the "unsecure" over loopback is quite tempting, I would prefer to have homogeneous behaviour with the possibility to disable security altogether for quick demos. Otherwise a developer would need to code differently for the local use case than for the remote one, causing more confusion.
Tristan On 30/03/2017 14:54, Sebastian Laskawiec wrote: > I agree the security out of the box is good. But at the same time we > don't want to make Infinispan harder to use for new developers. Out of > the box configuration should be "good enough" to start hacking. > > I would propose to make all the endpoints unprotected (with > authentication disabled) on localhost/loopback and protected when > calling from the outside world. > > On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <ttarr...@redhat.com > <mailto:ttarr...@redhat.com>> wrote: > > Dear all, > > after a mini chat on IRC, I wanted to bring this to everybody's > attention. > > We should make the Hot Rod endpoint require authentication in the > out-of-the-box configuration. > The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL > mechanism against the ApplicationRealm and require users to run the > add-user script. > This would achieve two goals: > - secure out-of-the-box configuration, which is always a good idea > - access to the "protected" schema and script caches which is prevented > when not on loopback on non-authenticated endpoints. > > Tristan > -- > Tristan Tarrant > Infinispan Lead > JBoss, a division of Red Hat > _______________________________________________ > infinispan-dev mailing list > infinispan-dev@lists.jboss.org <mailto:infinispan-dev@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/infinispan-dev > > > > _______________________________________________ > infinispan-dev mailing list > infinispan-dev@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/infinispan-dev > -- Tristan Tarrant Infinispan Lead JBoss, a division of Red Hat _______________________________________________ infinispan-dev mailing list infinispan-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/infinispan-dev
