On Wed, Nov 28, 2012 at 3:50 PM, Bertrand Delacretaz <[email protected] > wrote:
> On Wed, Nov 28, 2012 at 3:09 PM, Fabian Christ > <[email protected]> wrote: > > ...I am -1 for making this the default. > > > > I would prefer to keep the default really simple. If people want security > > they have to do something for it. This is true for most systems and > > frameworks that I know about.... > > Same here - my use case for Stanbol is a stateless service that > doesn't need any security by itself. Stanbol security only makes a difference if the services you're using require some special privileges (i.e. Permissions the anonymous user has not). Is this the case for the stateless services you're using? > If I need to control access to i I'll configure something at the network > level or put an httpd server > in front. > Ok, for the felix webconsole by checking for AllPermissions a security check is performed even if no security policy has been set (i.e. stanbol has been started without -s) to avoid double login with different credential in you usecase this should be disabled. > > I don't think Solr, for example has security features enabled by > default, not even sure if it does provide any security feature. > That's true. Solr needs to firewalled or security configured via the web-container. > Optional security features are fine as long as they don't burden the > simple use case and don't make the code more complex than it needs to > be. > The "Stateless" Stable launcher which seems to be the one suited for your needs has no security modules. Cheers, Reto
