We cannot allow dynamic classloading
without a security manager (sandbox)
or at least some explicit configuration saying it is ok.
Unless the dynamically loaded class is run in a
sandbox, malicous code could control of the
I agree. I think that we should try to fit both (classloading and security) in on interceptor stack. My personal feeling is that the interceptor stack should be added within the invoker handler and not part of the invoker itself (which should be purely transport). That way hander implementation can determine what is needed (security, transaction , etc.).