esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Hirsch <hirsch.d...@gmail.com>
Subject Re: Scala interpreter action
Date Mon, 06 Jul 2009 08:43:32 GMT
Should I deploy with this functionality active or not?

I just did a stax deplyoment with the actions.scala_interpreter.enable=false

D.

On Mon, Jul 6, 2009 at 10:24 AM, Vassil Dichev<vdichev@apache.org> wrote:
>> Should we remove it completely from the source or should we just
>> deactivate it by default?
>>
>> I agree that I wouldn't activate it in a producticve setting but it
>> might be useful while developing.
>
> Granted, this might not be the best way to monitor/debug ESME (e.g. if
> memory is so tight the JVM won't be able to create a new interpreter
> instance or send a new message). When I implemented the feature I was
> actually thinking of Dick's request for making it easier for ESME
> newcomers to learn Scala. I've also spent some time thinking about
> using ESME in a university and this feature makes a lot of sense in a
> classroom.
>
> My point is, I still think it could be made secure with a careful
> java.policy file (which a conscientious administrator should use
> anyway). David, do you think the Scala interpreter is impossible to
> secure or just not worth the effort? Also, what difference would it
> make to use Rhino, but not Scala in terms of a secure interpreter? The
> Scala interpreter implementation does use a new classloader and even
> allows you to override it and implement your own one. Try e.g. "import
> org.apache.esme.model.Message" or "import net.liftweb.util.Box".
>
> If the primary concern is trust in a federation, we could make it so a
> server is not allowed to participate in a federation if the Scala
> interpreter action is enabled.
>
> Cheers,
> Vassil
>

Mime
View raw message