Return-Path: Delivered-To: apmail-incubator-river-dev-archive@minotaur.apache.org Received: (qmail 28024 invoked from network); 8 Oct 2010 11:54:36 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 8 Oct 2010 11:54:36 -0000 Received: (qmail 17318 invoked by uid 500); 8 Oct 2010 11:54:36 -0000 Delivered-To: apmail-incubator-river-dev-archive@incubator.apache.org Received: (qmail 17208 invoked by uid 500); 8 Oct 2010 11:54:35 -0000 Mailing-List: contact river-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: river-dev@incubator.apache.org Delivered-To: mailing list river-dev@incubator.apache.org Received: (qmail 17200 invoked by uid 99); 8 Oct 2010 11:54:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Oct 2010 11:54:35 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [83.163.196.105] (HELO nyx.xs4all.nl) (83.163.196.105) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 Oct 2010 11:54:27 +0000 Received: from macmini.qcg.lan ([192.168.99.5]) by nyx.xs4all.nl with esmtp (Exim 4.71) (envelope-from ) id 1P4BWY-0005Dr-Kz for river-dev@incubator.apache.org; Fri, 08 Oct 2010 13:54:06 +0200 Message-ID: <4CAF065E.4080400@qcg.nl> Date: Fri, 08 Oct 2010 13:54:06 +0200 From: Sim IJskes - QCG Organization: Quality Consultancy Group b.v. User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8 MIME-Version: 1.0 To: river-dev@incubator.apache.org Subject: Re: Towards Internet Jini Services (trust) References: <4C9DB5BF.8090307@zeus.net.au> <201010072157.48994.michal.kleczek@xpro.biz> <4CAEFA39.6010402@qcg.nl> <201010081309.13144.michal.kleczek@xpro.biz> In-Reply-To: <201010081309.13144.michal.kleczek@xpro.biz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On 10/08/2010 01:09 PM, Michal Kleczek wrote: > On Friday 08 of October 2010 13:02:17 Sim IJskes - QCG wrote: >> On 10/07/2010 09:57 PM, Michal Kleczek wrote: >>> So... >>> I've spent a day on some thinking and prototyping and hopefully I got an >>> idea. Here is an outline: >> >>> 1. We annotate classes with an object implementing Module interface: >> Is it safe to say that you are basically enhancing the codebase >> annotation pattern? > Basically - yes. > Although I am not sure I understand precisely your question... :) You understood correctly. :-) (i should have said, construct, well ok). I noticed the readAnnotation of MarshallInputStream reads an Object and then casts it to a String. Are we sure that this is not a possible vector for a deserialization attack? Personally i would have taken a UTF-8 String (with limited length), but if you only unmarshall Objects from TLS connections, that you check first, i guess its ok. So your solution is allowing for different credentials between the TLS and the code source, and checking these credentials. Is this package pluggable onto river without modifications in river? Gr. Sim