On 29/03/2012 15:40, Colm O hEigeartaigh wrote: > Hi Francesco, > > Is it also possible to authenticate using 2-way TLS instead of HTTP/BA > for the REST API?
This would require additional setup by at least tweaking Spring Security configuration in [1]: this would be matter for a nice HOWTO wiki page as well ;-) Regards. [1] https://svn.apache.org/repos/asf/incubator/syncope/trunk/core/src/main/resources/securityContext.xml > 2012/3/29 Francesco Chicchiriccò <[email protected]>: >> On 29/03/2012 09:25, Bob Lannoy wrote: >>> Hi, >>> >>> with the remark about the use of MD5, I thought of something else. >>> If I'm not mistaken the connection between console and core is over plain >>> HTTP. >>> Do you plan supporting SSL connections between both? I put core behind >>> SSL but then the console didn't connect. >>> I saw in the trunk that in the configuration properties for the >>> console the protocol (scheme) option has been split out so maybe >>> you're already planning this? >> Hi Bob, >> there is nothing, in principle, that will obstacle core webapp to be >> available in HTTPS only (and hence the console to connect via HTTPS to >> the core): only, be sure to overcome usual issues arising when using >> self-signed certificates in Java: here is a brief checklist I would suggest: >> >> 1. put the servlet container with core webapp deployed inside in HTTPS >> 2. add the certificate of the CA you have used to sign the certificate >> for the step above in a trustore >> 3. reference the trustore above when launching the servlet container >> with console webapp deployed inside >> >> This should work: please, let us know whether you succeed. >> It could also be the case to add a page on our wiki about this. >> >> Regards. -- Francesco Chicchiriccò Apache Cocoon PMC and Apache Syncope PPMC Member http://people.apache.org/~ilgrosso/
