> This PR permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI > JDK providers, and contains the following changes: > - The following two properties are removed: > - `com.sun.jndi.ldap.object.trustURLCodebase` > - `com.sun.jndi.rmi.object.trustURLCodebase` > - JNDIs object factories logic has been altered to make it possible to > reconstruct object factories from remote locations when a custom > [ObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/ObjectFactoryBuilder.html) > is assigned via the > [NamingManager#setObjectFactoryBuilder](https://docs.oracle.com/en/java/javase/23/docs/api/java.naming/javax/naming/spi/NamingManager.html#setObjectFactoryBuilder(javax.naming.spi.ObjectFactoryBuilder)) > API. > - The `NamingManager` class-level documentation is edited to remove > references to the `SecurityManager`. It was also revised to clarify a > reconstruction mechanism of object factories from remote references in the > presence of a custom `ObjectFactoriesBuilder`. > - Also, the modified classes have been cleaned-up from `SecurityManager`, > `doPrivildged`, and `AccessController` usages. > > These changes require a CSR that will be submitted soon. > > ### Testing > - Added a new test to check if NamingManager#setObjectFactoryBuilder can be > used to implement remote code downloading: > `test/jdk/com/sun/jndi/rmi/registry/objects/ObjectFactoryBuilderCodebaseTest.java` > - `jdk-tier1` to `jdk-tier3` and other JNDI LDAP/RMI tests show no issue with > the proposed changes.
Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: clarify factory location usages in NamingManager and jdk.naming.rmi module-info ------------- Changes: - all: https://git.openjdk.org/jdk/pull/22154/files - new: https://git.openjdk.org/jdk/pull/22154/files/7b3edb84..e674e1d0 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=22154&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=22154&range=01-02 Stats: 6 lines in 2 files changed: 5 ins; 0 del; 1 mod Patch: https://git.openjdk.org/jdk/pull/22154.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/22154/head:pull/22154 PR: https://git.openjdk.org/jdk/pull/22154
