River doesn't currently offer constraints for DGC, it's currently
vulnerable to attacks where the attacker knows the clientID, an attacker
makes clean calls, clients are removed and the service is garbage
collected, a simple DOS attack.
Should DGC be disabled in environments where security is a concern?
Wouldn't it be better to use constraints?
In reality DGC is just a service, used to preserve liveliness of remote
objects by holding a strong reference (to another arbitrary service
associated by using the same server jvm), while clients hold a lease or
explicitly clean it.
DGC already uses the same endpoint as the associated service it provides
the DGC service for.
Can anyone see a technical reason why constraints and Subject
authentication cannot or should not be utilised?
Cheers,
Peter.
