Michael Jakl wrote: > Hi! > > On Tue, Jul 7, 2009 at 11:21, Bernd Fondermann<[email protected]> wrote: >>> Don't trust the sender with the "to" address, use the one in the >>> sessionContext. >> Now _you_ are getting overly defensive. ;-) >> >> If my mind serves me right, the to address has been checked before (in >> ProtocolWorker?), so it's save to use it. And I don't think >> getServerJID() will neccessarily give you the right one in every case >> either. > > Currently it should (why not?), but as soon as we allow components to > have different domains it doesn't anymore.
That's what I had in mind. What if the pubsub is addressed as [email protected], wouldn't this trigger a problem already? > Anyway, the JID for the module should be configured elsewhere, and not > take from the request. I'll fix that too tonight. +1. In a related thought, what do you by the way think about introducing a PubSubConfiguration class where all of the many options possible in pubsub can be collected? The module JID could be one of them. Bernd
