John Relph wrote:
John, I believe we ran some tests, I will see if we can get you the results of the tests.We dont publish source (at this point) to minimize hackers viewing whatever mistakes we've made.Well, that view doesn't hold a lot of water these days as the Java decompilers are getting pretty darn good. For example, Jad (http://www.kpdus.com/jad.html) generates this source code from thredds.war/WEB-INF/classes/servlet/Annotation.class:
yeah, its not real security, we will probably relax it after we get some feedback that we havent done anything exploitable.