Hi Sven, On 12/7/06, Sven Panko <[EMAIL PROTECTED]> wrote:
> > My last question concerns the different default max object sizes in the > > en- and decoder implementations - is there a reason why the encoder may > > encode objects up to Integer.MAX_VALUE, but the decoder refuses anything > > above 1MB? Are you aware of some known issues concerning memory > > consumption if I set the max object size of the decoder to > > Integer.MAX_VALUE as well? > > > I thought decoder should be more restrictive in receiving a big object > because of the rick of DoS attack. That's all. If there's consensus on > changing the default value, we can change it, too. :) Ok, just what I thought. The default value is fine - I think a short note in the JavaDoc stating that the max object size in decoder is set to a lower value because of possible DoS attacks would be nice. The reason that this doesn't affect me directly at the object serialization level is because of the fact I use SSL with client certs and the SSL filter prevents connections with invalid certs prior of a possible DoS attack (or am I mistaken?).
You are right. We need to update the documentation. Trustin -- what we call human nature is actually human habit -- http://gleamynode.net/ -- PGP key fingerprints: * E167 E6AF E73A CBCE EE41 4A29 544D DE48 FE95 4E7E * B693 628E 6047 4F8F CFA4 455E 1C62 A7DC 0255 ECA6
