Then you are vulnerable to deserialization gadget attacks, insecure cyphers anon certs etc.
JGDMS is as secure as possible with current cyphers, no anon certs, no known insecure cyphers (tlsv1.2), input validation during deserialization, delayed unmarshalling with authentication. I don't see why a compelling reason to give that up for a local class with a readResolve method? Sorry. Regards, Peter. Sent from my Samsung device. Include original message ---- Original message ---- From: Michał Kłeczek <mic...@kleczek.org> Sent: 14/02/2017 12:14:41 am To: dev@river.apache.org Subject: Re: OSGi NP Complete Was: OSGi - deserialization remote invocation strategy Peter wrote: > In jgdms I've enabled support for https unicast lookup in LookupLocator this >establishes a connection to a Registrar only, not any service. This >functionality doesn't exist in River. > > How do you propose establishing a connection using one of these endpoints? I am not sure I understand the question. In exactly the same way how today the connection is established by for example a ProxyTrust instance. Thanks, Michal
