On Thu, Mar 30, 2017 at 4:31 PM, Dennis Reed <der...@redhat.com> wrote:
> +1 to authentication and encryption by default. > This is 2017, that's how *everything* should be configured. > Agree, and SSL can always be turned on if needed. But enabling it by default and forcing upfront handling of certificates, keystores and trustores is overkill IMO. > > -1 to making it easy to trust all certs. That negates the point of > using encryption in the first place and should really never be done. > > If it's too hard to configure the correct way that we think it would > turn users away, that's a usability problem that needs to be fixed. > > -Dennis > > > On 03/30/2017 09:29 AM, Tristan Tarrant wrote: > > While the "unsecure" over loopback is quite tempting, I would prefer to > > have homogeneous behaviour with the possibility to disable security > > altogether for quick demos. > > Otherwise a developer would need to code differently for the local use > > case than for the remote one, causing more confusion. > > > > Tristan > > > > On 30/03/2017 14:54, Sebastian Laskawiec wrote: > >> I agree the security out of the box is good. But at the same time we > >> don't want to make Infinispan harder to use for new developers. Out of > >> the box configuration should be "good enough" to start hacking. > >> > >> I would propose to make all the endpoints unprotected (with > >> authentication disabled) on localhost/loopback and protected when > >> calling from the outside world. > >> > >> On Thu, Mar 30, 2017 at 2:39 PM Tristan Tarrant <ttarr...@redhat.com > >> <mailto:ttarr...@redhat.com>> wrote: > >> > >> Dear all, > >> > >> after a mini chat on IRC, I wanted to bring this to everybody's > >> attention. > >> > >> We should make the Hot Rod endpoint require authentication in the > >> out-of-the-box configuration. > >> The proposal is to enable the PLAIN (or, preferably, DIGEST) SASL > >> mechanism against the ApplicationRealm and require users to run the > >> add-user script. > >> This would achieve two goals: > >> - secure out-of-the-box configuration, which is always a good idea > >> - access to the "protected" schema and script caches which is > prevented > >> when not on loopback on non-authenticated endpoints. > >> > >> Tristan > >> -- > >> Tristan Tarrant > >> Infinispan Lead > >> JBoss, a division of Red Hat > >> _______________________________________________ > >> infinispan-dev mailing list > >> infinispan-dev@lists.jboss.org <mailto:infinispan-dev@lists. > jboss.org> > >> https://lists.jboss.org/mailman/listinfo/infinispan-dev > >> > >> > >> > >> _______________________________________________ > >> infinispan-dev mailing list > >> infinispan-dev@lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/infinispan-dev > >> > > > _______________________________________________ > infinispan-dev mailing list > infinispan-dev@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/infinispan-dev >
_______________________________________________ infinispan-dev mailing list infinispan-dev@lists.jboss.org https://lists.jboss.org/mailman/listinfo/infinispan-dev
