Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-12095

Use HTTPS and only HTTPS for management interfaces in default configuration

    Details

    • Type: Enhancement
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 16.0.0.Final
    • Fix Version/s: None
    • Component/s: Management, Security
    • Labels:
      None

      Description

      Current default configuration of WildFly uses plaintext HTTP for management interfaces that are used for web-console access. Even though, that it is possible to switch to HTTPS after login to web-console, I believe we should incorporate HTTPS and only HTTPS configuration of management interfaces in our default WildFly configuration as it brings in more secure approach.

      Note that there is digest-auth used for web-console login, thus password is not sent in a plain-text over the network, although there is still possibility of MITM attack, as such one can see what management operations are performed (actual request payload is binary, although I presume that it is easy to decode when one knows how to do it).

      Yes, I understand that by default, there will be just a self-signed certificate generated for server on first HTTPS request, but I believe it is still an improvement.

      Such change will affect both Web-Console and also CLI so both will operate over HTTPS. In case of self-signed certificate - if not already added in trusted certs, one has to accept certificate during the first login/access via Web-Console or CLI.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  jstourac Jan Stourac
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated: