How to remove the SecurityManager

Peter Firmstone peter.firmstone at zeus.net.au
Tue Jul 27 23:52:19 UTC 2021


On 28/07/2021 9:12 am, Peter Firmstone wrote:

> While its possible to use a dynamic proxy without downloading code, 
> via an atomic serialization connection, it's not generally advised to 
> do so with unauthenticated users, decisions around dynamic discovery, 
> whether class loading or downloads are allowed, it's all based on 
> policy decisions.

Minor clarification / correction, it's not possible on our system to 
allow an unauthenticated user over a secure connection, our code 
disallows TLS connections with anon clients. We do provide TCP/IP 
connections, that are unsecured, however this is generally to allow 
testing of services during development and shouldn't be used in 
production.   No changes to a service need to be made other than 
configuration settings to enable secure connections.

Regards,

Peter.




More information about the security-dev mailing list