----- Original Message ---- > From: Peter <j...@zeus.net.au> > To: river-dev@incubator.apache.org > Sent: Mon, December 20, 2010 5:38:05 PM > Subject: Re: Fw: Re: Space/outrigger suggestions > > In untrusted networks you can enforce DownloadPermission, this prevents >downloading code from untrusted sources. > > In such an environment, you can interop with anyone who authenticates as >anybody safely, since you're only using local or trusted code. Introduce >Generics into Service API, now you've given an attacker a means to induce a >ClassCastException, using a reflective proxy, an effective poison pill DOS >attack, that can be used to attack multiple clients. > > A cast is simple enough to do and I always check my casts. >
Are you saying you check all fields of your returns? Either way you have an error arise. You have some kind of an exceptional situation. Not sure how I see this as more of a DOS either way. It is service layer code, so of course you are going to code against those calls with a general catch...or should. Other than that, just performing the cast there isn't going to be some code run, just the exception raised. On the rest as it relates to generics, oh well, I believe this conversation has just run off the track into a lets just prove a point no matter what or something else completely orthogonal to the reality. I don't believe the generics use implies anything other than there are generics used in a given aspect of the API. I think if one wants to use generics and does they are going to use them. Seeing them here doesn't change that, but of course that is my opinion. I'll just leave it there, and have no interest in talking about generics more regardless of what I do or do not know as I feel it has become a waste of time. FWIW, I say we do as you suggest and move onto the rest of the discussion without talking generics, and see how that goes. Wade
