On Tuesday 12 of October 2010 14:23:44 Sim IJskes - QCG wrote: > On 10/12/2010 02:12 PM, Michal Kleczek wrote: > > On Tuesday 12 of October 2010 14:00:14 Sim IJskes - QCG wrote: > >> It doesn't happen with readUTF(). The first bytes read are the stream > >> header, (0xac, 0xed, 0, 5), and then the length, then the bytes > >> composing the string. No parsing of TC constants, and no optional code > >> paths that can lead to out-of-anything dos attacks. Send it with > >> writeUTF, read it with a custom function limiting the length of the > >> string and voila whe have at least made it 1 step more difficult to dos. > > > > I understand your arguments but I am still not convinced - you somehow > > have to send a ProxyTrust instance (or any remote object reference) so > > that you can verify codebase using it. > > No you don't. You can delegate it to the IntegrityVerifier. This is the > place where you should check the integrity. You will have enough > information there (coded in the codebase parameter), to load the code, > check endpoints (dns name, ip address, TLS) if wanted, check signatures, > certificates, checksums.
Right - but it looks to me we're turning circles right now. Maybe I just don't understand what you're saying so let me describe a scenario that I would like to support: 1. Prerequisite - you and I are logged in to the same Kerberos realm and I know your kerberos principal 2. I got a piece of data - a marshalled object 3. Before I deserialize an object I want to make sure the codebase of the object I got is the one you wanted it to be (regardless of the contents of the jar file I will download later - I'm going to check its integrity later on) Are we talking about the same thing? Michal
