There are lots of details around lost login context. I had to wire up some of that in my swing/awt infrastructure. This is required so that those event/callbacks also assert the right credentials.
Gregg Sent from my iPhone > On Apr 21, 2018, at 1:06 AM, Peter <j...@zeus.net.au> wrote: > > To be more accurate it limits the call backs to anon client connections, > which is vulnerable to man in the middle attacks. > > The way to fix this is to ensure the login context is preserved and utilised > when making call backs. > >> On 21/04/2018 9:57 AM, Peter wrote: >> It's clear to me now that the Jini team never fully completed the >> integration of JERI with Jini. >> >> The evidence: call backs to event listeners are not run with the service's >> logged in subject, this prevents secure endpoints from establishing >> connections for call backs. >> >> I have rectified this in my local code and am running tests. >> >> Just thought you might be interested to know. >> >> Regards, >> >> Peter. >> >