RFR: 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation [v5]
Aleksei Efimov
aefimov at openjdk.org
Fri Oct 14 16:19:41 UTC 2022
> ### Summary of the change
> This change introduces new system and security properties for specifying factory filters for the JNDI/LDAP and the JNDI/RMI JDK provider implementations.
>
> These new properties allow more granular control over the set of object factories allowed to reconstruct Java objects from LDAP and RMI contexts.
>
> The new factory filters are supplementing the existing `jdk.jndi.object.factoriesFilter` global factories filter to determine if a specific object factory is permitted to instantiate objects for the given protocol.
>
> Links:
>
> - [CSR with details](https://bugs.openjdk.org/browse/JDK-8291556)
> - [JBS issue](https://bugs.openjdk.org/browse/JDK-8290368)
>
> ### List of code changes
>
> - Implementation for two new system and security properties have been added to the `com.sun.naming.internal.ObjectFactoriesFilter` class
> - `java.security` and `module-info.java` files have been updated with a documentation for the new properties
> - To keep API of `javax.naming.spi.NamingManager` and `javax.naming.spi.DirectoryManager` classes unmodified a new internal `com.sun.naming.internal.NamingManagerHelper` class has been introduced. All `getObjectInstance` calls have been updated to use the new helper class.
>
> #### NamingManagerHelper changes
> Changes performed to construct the `NamingManagerHelper` class:
> - `DirectoryManager.getObjectInstance` -> `NamingManagerHelper.getDirObjectInstance`. Dependant methods were also moved to the `NamingManagerHelper` class
> - `NamingManager.getObjectInstance` -> `NamingManagerHelper.getObjectInstance`. Methods responsible for setting/getting object factory builder were moved to the `NamingManagerHelper` class too.
>
>
> ### Test changes
> New tests have been added for checking that new factory filters can be used to restrict reconstruction of Java objects from LDAP and RMI contexts:
> - LDAP protocol specific test: test/jdk/com/sun/jndi/ldap/objects/factory/LdapFactoriesFilterTest.java
> - RMI protocol specific test: test/jdk/com/sun/jndi/rmi/registry/objects/RmiFactoriesFilterTest.java
> Existing `test/jdk/javax/naming/module/RunBasic.java` test has been updated to allow test-specific factories filter used to reconstruct objects from the test LDAP server.
>
> ### Testing
> tier1-tier3 and JNDI regression/JCK tests not showing any failures related to this change.
> No failures observed for the modified regression tests.
Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision:
- Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
- Remove factory builder synchronization from NamingManager. Update comments/docs.
- Change checkInput to be the global filter centric
- Refactor checkInput, better reporting for invalid filter patterns
- Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
- Additional comments/formatting cleanup.
- More tests clean-up. Code/doc comments cleanup.
- Cleanup test comments. Add tests to check that LDAP/RMI filters do not intersect.
- 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/10578/files
- new: https://git.openjdk.org/jdk/pull/10578/files/53806048..b3849168
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=10578&range=04
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=10578&range=03-04
Stats: 15973 lines in 334 files changed: 11307 ins; 2971 del; 1695 mod
Patch: https://git.openjdk.org/jdk/pull/10578.diff
Fetch: git fetch https://git.openjdk.org/jdk pull/10578/head:pull/10578
PR: https://git.openjdk.org/jdk/pull/10578
More information about the security-dev
mailing list