Jonas Pfenniger schrieb:
> ...
> As you see, this is very simple, but I'm wondering if this is enough. For
> example, how does the client know the reference to [1,2,3]. Could it be
> guessed in some way, so that it could bypass the AuthenticationProxy ?

Jonas, I'm no DRb expert, but this client code can get access to the 
real object without authenticating itself:

   @proxy = DRbObject.new( nil, URI )
   class << @proxy
     undef_method :instance_variable_get
   end
   @proxy.instance_variable_get("@object")  # => [1, 2, 3]

It is necessary to undefine #instance_variable_get for the local @proxy 
object, so that the message is forwarded to the AuthenticationProxy on 
the server side.

Regards,
Pit