RFR: 8338536: Permanently disable remote code downloading in JNDI [v4]

Aleksei Efimov aefimov at openjdk.org
Wed Nov 20 13:06:57 UTC 2024 

> This PR permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI JDK providers, and contains the following changes:
> - The following two properties are removed:
>     - `com.sun.jndi.ldap.object.trustURLCodebase`
>     - `com.sun.jndi.rmi.object.trustURLCodebase`
> - JNDIs object factories logic has been altered to make it possible to reconstruct object factories from remote locations when a custom [ObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/ObjectFactoryBuilder.html) is assigned via the [NamingManager#setObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/NamingManager.html#setObjectFactoryBuilder(javax.naming.spi.ObjectFactoryBuilder)) API.
> - The `NamingManager` class-level documentation is edited to remove references to the `SecurityManager`. It was also revised to clarify a reconstruction mechanism of object factories from remote references in the presence of a custom `ObjectFactoriesBuilder`.
> - Also, the modified classes have been cleaned-up from `SecurityManager`, `doPrivildged`, and `AccessController` usages.
> 
> These changes require a CSR that will be submitted soon.
> 
> ### Testing
> - Added a new test to check if NamingManager#setObjectFactoryBuilder can be used to implement remote code downloading: `test/jdk/com/sun/jndi/rmi/registry/objects/ObjectFactoryBuilderCodebaseTest.java`
> - `jdk-tier1` to `jdk-tier3` and other JNDI LDAP/RMI tests show no issue with the proposed changes.

Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision:

 - Docs and comments update
 - Revert VersionHelper.createThread removal

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/22154/files
  - new: https://git.openjdk.org/jdk/pull/22154/files/e674e1d0..673bc73b

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=22154&range=03
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22154&range=02-03

  Stats: 21 lines in 7 files changed: 9 ins; 6 del; 6 mod
  Patch: https://git.openjdk.org/jdk/pull/22154.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/22154/head:pull/22154

PR: https://git.openjdk.org/jdk/pull/22154

More information about the core-libs-dev mailing list