On Oct 5, 2010, at 727AM, Sim IJskes - QCG wrote: > On 10/05/2010 01:07 PM, Peter Firmstone wrote: >> Yes I think Sim is talking about making trust decisions and Michal and I >> are talking about the handshake, we need both, I don't think we're >> having an issue of agreement, just understanding. > > No, i'm talking about both. > > Before you can unmarshall, you need code. This code is loaded by a > classloader. The ONLY place where we can check code, is this classloader.
Just curious here, what if the decision was that you can only load classes locally? That in order to get your classes you had to first download the jars from a (trusted) server (perhaps even prompting the user to accept the download?). You would verify the authenticity of those jars before creating a classloader to load the required classes. If you already have the jars (locally) necessary, why download them again? Consider you already have the service's interface (and any other supporting classes) in your classpath to begin with (which is loaded locally), why not provision the remote service's proxy jars first before connecting to the service? Appropriate handshaking happens to connect to the remote service of course, but do you take the dynamic insecure class loading out of the equation this way? Dennis
