Following up on recent discussions about security. Java, River / Jini Security features are advanced programming concepts.
You need security policies, need to know what permissions each codebase requires to function. A key server is essential, along with user Subjects and Principals (including preserving the SubjectDomainCombiner accross privileged calls. Then you've got Proxy trust, verification and dynamic grants. I've thought previously about having separate releases, one for private networks, the other for untrusted networks. Leading me to consider modularity, to avoid forking, that, classloader issues and codebase annotation loss. But modularity appears to have stalled. A lot of the code I'm writing is in different branches, I'm not great at merging, and will be time poor soon, so I'm concentrating on wrapping up my recent security work. Does anyone have any suggestions for annotations? So developers can weave in security later, allowing them to get up and running with River in a local network first, then learn security later? Example: an annotation and the boilerplate code that needs to be weaved in by an annotation processor. Cheers, Peter.
