Integrated: 8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

Aleksei Efimov aefimov at openjdk.org
Wed Oct 19 14:46:07 UTC 2022


On Wed, 5 Oct 2022 15:23:43 GMT, Aleksei Efimov <aefimov at openjdk.org> wrote:

> ### Summary of the change
> This change introduces new system and security properties for specifying factory filters for the JNDI/LDAP and the JNDI/RMI JDK provider implementations. 
> 
> These new properties allow more granular control over the set of object factories allowed to reconstruct Java objects from LDAP and RMI contexts.
> 
> The new factory filters are supplementing the existing `jdk.jndi.object.factoriesFilter` global factories filter to determine if a specific object factory is permitted to instantiate objects for the given protocol.
> 
> Links:
> 
> - [CSR with details](https://bugs.openjdk.org/browse/JDK-8291556)
> - [JBS issue](https://bugs.openjdk.org/browse/JDK-8290368)
> 
> ### List of code changes
> 
> - Implementation for two new system and security properties have been added to the `com.sun.naming.internal.ObjectFactoriesFilter` class
> - `java.security` and `module-info.java` files have been updated with a documentation for the new properties
> - To keep API of `javax.naming.spi.NamingManager` and `javax.naming.spi.DirectoryManager` classes unmodified a new internal `com.sun.naming.internal.NamingManagerHelper` class has been introduced. All  `getObjectInstance` calls have been updated to use the new helper class.
> 
> #### NamingManagerHelper changes
> Changes performed to construct the `NamingManagerHelper` class:
> - `DirectoryManager.getObjectInstance` -> `NamingManagerHelper.getDirObjectInstance`. Dependant methods were also moved to the `NamingManagerHelper` class
> - `NamingManager.getObjectInstance` -> `NamingManagerHelper.getObjectInstance`. Methods responsible for setting/getting object factory builder were moved to the `NamingManagerHelper` class too.
> 
> 
> ### Test changes
> New tests have been added for checking that new factory filters can be used to restrict reconstruction of Java objects from LDAP and RMI contexts:
> - LDAP protocol specific test: test/jdk/com/sun/jndi/ldap/objects/factory/LdapFactoriesFilterTest.java
> - RMI protocol specific test: test/jdk/com/sun/jndi/rmi/registry/objects/RmiFactoriesFilterTest.java
> Existing `test/jdk/javax/naming/module/RunBasic.java` test has been updated to allow test-specific factories filter used to reconstruct objects from the test LDAP server. 
> 
> ### Testing
> tier1-tier3 and JNDI regression/JCK tests not showing any failures related to this change.
> No failures observed for the modified regression tests.

This pull request has now been integrated.

Changeset: d37ce4cd
Author:    Aleksei Efimov <aefimov at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/d37ce4cdd18afc4facf996598f79e72aae68f4ff
Stats:     1566 lines in 22 files changed: 1211 ins; 303 del; 52 mod

8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

Reviewed-by: dfuchs, rriggs, jpai

-------------

PR: https://git.openjdk.org/jdk/pull/10578


More information about the security-dev mailing list