I've been thinking about the practicalities of a djinn running in
untrusted networks (internet), the first thing that springs to mind is,
security is much simpler if people can get away with only "dumb" or
reflective proxies.
I'd like to the see the default security setup requiring DownloadPermission.
I we sign our download jars (a number of developers could do this,
requiring at least this group of signers), a standard policy file
template could include a certificate grant for DownloadPermission,
allowing anyone to load classes from a standard River download proxy.
This gets our smart proxy's out of the way.
Then all developers need to worry about are Principals and
MethodConstraints, allowing people to get started using River with
reflective proxy's over the internet.
Later if people want to get into smart proxy's that power's still there,
this change prevents unauthorised class loading.
Cheers,
Peter.
