William Becker wrote:
>
>
> Do you think we have adequately addressed the security issues?
>
>
> If you can think of another way to crack jabsorb, I would be
> interested to know! I tried injecting things for ages and didn't seem
> to be able to do much.
>
>
> I'm not completely aware of how the constructor feature is used. Can I
> call any arbitrary constructor or is it only for registered classes?
>
>
> To use a constructor, it needs to be provided by the servlet. This
> requires two things:
> * The class which is to be constructed needs to be registered on the
> bridge
> eg:
> JSONRPCBridge.registerClass("ConstructorTest",org.jabsorb.test.ConstructorTest.class);
> * The object which is constructed also needs to be registered as a
> reference type:
> eg:
> JSONRPCBridge.registerCallableReference(org.jabsorb.test.ConstructorTest.class);
>
>
> If it is only registered classes then I'm happy - it is up to the user
> to only export classes or instances where they have thought of the
> associated security issues i.e. library users can of course make
> insecure apps with the present version by exporting insecure
> classes or
> instances - as with any web service framework - it can't address the
> issue of the user exporting interfaces to insecure code.
>
>
> I agree, so I think it should be safe without implementing SecurityPolicy.
OK. Sounds good to me. I'm all for going ahead and releasing it.
After we've branched, do you think it might be time to move the trunk
onto Java 1.5? Arthur? (i.e. assuming we have enough features in jabsorb
1.3 for the older jdk users and we can then maintain this in a branch).
_______________________________________________
Jabsorb-dev mailing list
[email protected]
http://lists.jabsorb.org/mailman/listinfo/jabsorb-dev
