river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregg Wonderly <gr...@wonderly.org>
Subject Re: SSL Secure Endpoints never fully utilised by River services
Date Sat, 21 Apr 2018 14:08:05 GMT
There are lots of details around lost login context.  I had to wire up some of that in my swing/awt
infrastructure.  This is required so that those event/callbacks also assert the right credentials.


Sent from my iPhone

> On Apr 21, 2018, at 1:06 AM, Peter <jini@zeus.net.au> wrote:
> To be more accurate it limits the call backs to anon client connections, which is vulnerable
to man in the middle attacks.
> The way to fix this is to ensure the login context is preserved and utilised when making
call backs.
>> On 21/04/2018 9:57 AM, Peter wrote:
>> It's clear to me now that the Jini team never fully completed the integration of
JERI with Jini.
>> The evidence: call backs to event listeners are not run with the service's logged
in subject, this prevents secure endpoints from establishing connections for call backs.
>> I have rectified this in my local code and am running tests.
>> Just thought you might be interested to know.
>> Regards,
>> Peter.

View raw message