This PR permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI
JDK providers, and contains the following changes:
- The following two properties are removed:
- `com.sun.jndi.ldap.object.trustURLCodebase`
- `com.sun.jndi.rmi.object.trustURLCodebase`
- JNDIs object factories logic has been altered to make it possible to
reconstruct object factories from remote locations when a custom
[ObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/ObjectFactoryBuilder.html)
is assigned via the
[NamingManager#setObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/NamingManager.html#setObjectFactoryBuilder(javax.naming.spi.ObjectFactoryBuilder))
API.
- The `NamingManager` class-level documentation is edited to remove references
to the `SecurityManager`. It was also revised to clarify a reconstruction
mechanism of object factories from remote references in the presence of a
custom `ObjectFactoriesBuilder`.
- Also, the modified classes have been cleaned-up from `SecurityManager`,
`doPrivildged`, and `AccessController` usages.
These changes require a CSR that will be submitted soon.
### Testing
- Added a new test to check if NamingManager#setObjectFactoryBuilder can be
used to implement remote code downloading:
`test/jdk/com/sun/jndi/rmi/registry/objects/ObjectFactoryBuilderCodebaseTest.java`
- `jdk-tier1` to `jdk-tier3` and other JNDI LDAP/RMI tests show no issue with
the proposed changes.
-------------
Commit messages:
- 8338536: Permanently disable remote code downloading in JNDI
Changes: https://git.openjdk.org/jdk/pull/22154/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=22154&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8338536
Stats: 544 lines in 11 files changed: 300 ins; 187 del; 57 mod
Patch: https://git.openjdk.org/jdk/pull/22154.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22154/head:pull/22154
PR: https://git.openjdk.org/jdk/pull/22154
