Return-Path: Delivered-To: apmail-jackrabbit-dev-archive@www.apache.org Received: (qmail 99914 invoked from network); 26 May 2010 11:28:47 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 26 May 2010 11:28:47 -0000 Received: (qmail 31344 invoked by uid 500); 26 May 2010 11:28:47 -0000 Delivered-To: apmail-jackrabbit-dev-archive@jackrabbit.apache.org Received: (qmail 31140 invoked by uid 500); 26 May 2010 11:28:44 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 31133 invoked by uid 99); 26 May 2010 11:28:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 26 May 2010 11:28:43 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of tmueller@day.com designates 207.126.148.87 as permitted sender) Received: from [207.126.148.87] (HELO eu3sys201aog101.obsmtp.com) (207.126.148.87) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 26 May 2010 11:28:34 +0000 Received: from source ([209.85.221.175]) by eu3sys201aob101.postini.com ([207.126.154.11]) with SMTP ID DSNKS/0FzO1uvZkxxQct1/Mq+mcehuVgXKv0@postini.com; Wed, 26 May 2010 11:28:14 UTC Received: by qyk5 with SMTP id 5so9382147qyk.3 for ; Wed, 26 May 2010 04:28:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.185.2 with SMTP id cm2mr1817674qcb.47.1274873292310; Wed, 26 May 2010 04:28:12 -0700 (PDT) Received: by 10.229.232.75 with HTTP; Wed, 26 May 2010 04:28:12 -0700 (PDT) Date: Wed, 26 May 2010 13:28:12 +0200 Message-ID: Subject: [jr3] Security through obscurity From: =?ISO-8859-1?Q?Thomas_M=FCller?= To: dev Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Do we want have public methods in the Jackrabbit 3 implementation that can possibly be misused (if somebody casts to an implementation class)? See the discussion at https://issues.apache.org/jira/browse/JCR-2640 The advantage of not having public classes: people can't cast implementation classes and call such methods. Is this really a problem? People should use the JCR API - they are not supposed to cast to implementation classes. The disadvantages are: it massively complicates developing Jackrabbit 3. It complicates understanding the source code. It potentially slows down performance. It needs more memory (potentially a lot, for example for cached objects such a NodeImpl). It's probably not always possible to follow this rule. It doesn't solve the problem (people can still modify the source code of Jackrabbit, or they can call setAccessible(true)). Wikipedia currently defines "security through obscurity" as follows: "a principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to provide security." In my view this is such a case. Examples of embedded repositories or databases a) that need more than one package and use this "no public methods" approach: - I don't know any. Are there any such projects? b) that do have public methods: - All open source Java databases I know (Apache Derby, HSQLDB, H2) - Hibernate (well probably most projects) - I'm sure there are many cases in Sun JDK and JRE, for example xml packages, javac, javadoc, almost everywhere where interfaces and implementation are distinct and multiple packages are used.