RFR: 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation [v5]

Aleksei Efimov aefimov at openjdk.org
Fri Oct 14 17:30:02 UTC 2022 

On Fri, 14 Oct 2022 16:35:28 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision:
>> 
>>  - Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
>>  - Remove factory builder synchronization from NamingManager. Update comments/docs.
>>  - Change checkInput to be the global filter centric
>>  - Refactor checkInput, better reporting for invalid filter patterns
>>  - Merge branch 'master' into JDK-8290368_protocol_specific_factory_filters
>>  - Additional comments/formatting cleanup.
>>  - More tests clean-up. Code/doc comments cleanup.
>>  - Cleanup test comments. Add tests to check that LDAP/RMI filters do not intersect.
>>  - 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
>
> src/java.base/share/conf/security/java.security line 1388:
> 
>> 1386: # are unused.
>> 1387: #
>> 1388: # Each class name pattern is matched against the factory class name to allow or disallow its
> 
> It appears that for those protocols for which there is no specific filter, a factory class will be accepted only if the global filter returns ALLOWED - which contradicts what is written here (where it says that the class is allowed if it's not REJECTED). Is this something that has changed with this fix - or was the documentation wrong before?

Very good catch Daniel! It is with this fix and I believe the code needs to be change to match what is written for the global filter here:
What we've had before in `checkInput`:

    private static boolean checkInput(FactoryInfo factoryInfo) {
        Status result = GLOBAL.checkInput(factoryInfo);
        return result != Status.REJECTED;

What we have now:

        if (filter == GLOBAL_FILTER) {
            return globalResult == Status.ALLOWED;
        }


I think it needs to be changed to (to match the description for global filter):

        if (filter == GLOBAL_FILTER) {
            return globalResult != Status.REJECTED;
        }

-------------

PR: https://git.openjdk.org/jdk/pull/10578

More information about the security-dev mailing list