As far as I know, invoking through HTTP is just tunneling RMI. Whether you're sending the data over RMI directly to the server or sending it over http to the server makes little difference from a security point of view.
Both times, an attacker may send arbitrary untrusted data right inside JBoss. Certainly the HTTP invoker does not check the data that it passes along to the inner parts of JBoss. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3829842#3829842 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3829842 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
