river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregg Wonderly <gr...@wonderly.org>
Subject Re: SSL Secure Endpoints never fully utilised by River services
Date Sat, 21 Apr 2018 14:08:05 GMT
There are lots of details around lost login context.  I had to wire up some of that in my swing/awt
infrastructure.  This is required so that those event/callbacks also assert the right credentials.

Gregg

Sent from my iPhone

> On Apr 21, 2018, at 1:06 AM, Peter <jini@zeus.net.au> wrote:
> 
> To be more accurate it limits the call backs to anon client connections, which is vulnerable
to man in the middle attacks.
> 
> The way to fix this is to ensure the login context is preserved and utilised when making
call backs.
> 
>> On 21/04/2018 9:57 AM, Peter wrote:
>> It's clear to me now that the Jini team never fully completed the integration of
JERI with Jini.
>> 
>> The evidence: call backs to event listeners are not run with the service's logged
in subject, this prevents secure endpoints from establishing connections for call backs.
>> 
>> I have rectified this in my local code and am running tests.
>> 
>> Just thought you might be interested to know.
>> 
>> Regards,
>> 
>> Peter.
>> 
> 

Mime
View raw message