users@jersey.java.net

Re: [Jersey] Jersey on app engine

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 15 Apr 2009 11:20:30 +0200

On Apr 15, 2009, at 11:00 AM, Walter Chang wrote:

> check out this thread: http://groups.google.com/group/google-appengine-java/browse_thread/thread/2cd411dd1f2f5b4a#
>

Thanks, that is interesting w.r.t. XML APIs/implementations and
security.

I guess there is no stopping someone distributing their own XML API,
in the war, with similar security implications.

One can imagine there might be strong legal requirements in terms of
responsibility/support and in addition a platform plagued with
security issues is one that is likely to get very bad press and low
adoption. So in this respect i understand why a conservative approach
is taken.

Paul.



> On Wed, Apr 15, 2009 at 4:30 PM, Paul Sandoz <Paul.Sandoz_at_sun.com>
> wrote:
>
> On Apr 14, 2009, at 6:49 PM, Tatu Saloranta wrote:
>
> On Tue, Apr 14, 2009 at 9:40 AM, Paul Sandoz <Paul.Sandoz_at_sun.com>
> wrote:
>
> On Apr 14, 2009, at 6:34 PM, Tatu Saloranta wrote:
> ...
> XMLBeans? JiBX?
>
> Most data binding frameworks will probably have issues, due to
> security limitations or missing classes. It's not so much the security
> manager policies (which I understand -- and accept as a price of
> otherwise really neat option for deployment) but rather missing
> classes, and related problems that get you.
>
>
> +1 Well put.
>
> One observation/question regarding the white list: Stax API seems to
> be missing. If so, wouldn't this meant that you could not use Stax
> parsers on anything -- since API classes are not whitelisted, trying
> to add api jar and load classes should fail?
>
>
> I would presume so. You might be able to add a renamed stax jar/impl
> to the war. It would be an interesting experiment to see if that
> would work with a modified Woodstox.
>
>
>
> If this is the case, it'd be another indication that what you get is
> not really 1.6, but some arbitrary subset, perhaps just based on which
> packages developers doing it happened to be aware of.
>
>
> It could be. Hard to fathom really without some details from the GAE
> developers themselves.
>
> Paul.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>
>
>
> --
> .......__o
> .......\<,
> ....( )/ ( )...
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.