Scenario:
1. Lookup service provided by trusted party (obtained using secure
discovery).
2. Lookup service allows third party's to register services, these
service providers may or may not be trusted.
3. Client wishes to ensure constraints are applied by the registrar
proxy to services prior to unmarshalling.
Possible partial solution:
1. Lookup service itself is trusted
2. ServiceTemplate is not a final class, it can be extended,
ConstraintServiceTemplate?
3. ConstraintServiceTemplate used by lookup service to apply
constraints, including Authentication and Proxy Verification.
We just need to find a way to ensure Proxy verification occurs prior to
downloading classes and as soon as possible.
We also need to find a way for ObjectInputStream to limit the classes
that can be deserialized until proxy verification has been performed.
And do this in a way that's backwards compatible if possible.
Thoughts / discussion?
Peter.
