-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
medium
-
Applications that rely on deserialization of Java objects or reconstruction of RMI stubs from LDAP attributes (RFC 2713) would need to set the 'com.sun.jndi.ldap.object.trustSerialData' system property to 'true'.
-
System or security property
-
JDK
Summary
Update the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false", and extend its scope to cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
Problem
The JDK built-in JNDI LDAP provider provides a transparent binding for RFC 2713 (Schema for Representing Java(tm) Objects in an LDAP Directory). This provider also supports reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute. These bindings are not part of the Java SE specification and can involve transparent deserialization of Java objects.
In JDK 17 a com.sun.jndi.ldap.object.trustSerialData
system property was added to make it possible to disable such deserialization of serialized data from LDAP. However the property was left switched on by default. The only mention of the javaSerializedData
LDAP attributes in the API was added in JDK 17 when documenting the com.sun.jndi.ldap.object.trustSerialData
system property (see below).
The API docs have no reference to the javaRemoteLocation
or the javaReferenceAddress
LDAP attributes, and didn't have any reference of javaSerializedData
prior to JDK 17, so support for them has been completely undocumented.
Solution
We propose to switch the default value of this property to disable deserialization from LDAP attributes by default, and extend its scope to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute. With this new setting transparent deserialization of Java object from an LDAP context will require an explicit opt-in:
- Switch the default value of the 'com.sun.jndi.ldap.object.trustSerialData' system property to "false".
- Extend the scope of the property to also cover the reconstruction of RMI remote objects from the deprecated 'javaRemoteLocation' LDAP attribute.
- Document the support for
javaRemoteLocation
and thejavaReferenceAddress
LDAP attributes.
Specification
Inline patch with an update for java.naming module info file:
diff a/src/java.naming/share/classes/module-info.java b/src/java.naming/share/classes/module-info.java
--- a/src/java.naming/share/classes/module-info.java
+++ b/src/java.naming/share/classes/module-info.java
@@ -77,15 +77,20 @@
* <p>The following implementation specific system properties are supported by the
* default LDAP Naming Service Provider implementation in the JDK:
* <ul>
* <li>{@systemProperty com.sun.jndi.ldap.object.trustSerialData}:
* <br>The value of this system property is the string representation of a boolean value
- * which allows to control the deserialization of java objects from the 'javaSerializedData'
- * LDAP attribute. To prevent the deserialization of java objects from the 'javaSerializedData'
- * attribute, the system property value can be set to 'false'.
- * <br>If the property is not specified then the deserialization of java objects
- * from the 'javaSerializedData' attribute is allowed.
+ * that controls the deserialization of java objects from the {@code javaSerializedData} LDAP
+ * attribute, reconstruction of RMI references from the {@code javaRemoteLocation} LDAP attribute, and
+ * reconstruction of {@linkplain javax.naming.BinaryRefAddr binary reference addresses} from
+ * the {@code javaReferenceAddress} LDAP attribute.
+ * To allow the deserialization or reconstruction of java objects from {@code javaSerializedData},
+ * {@code javaRemoteLocation} or {@code javaReferenceAddress} attributes, the system property value
+ * can be set to {@code true} (case insensitive).
+ * <br>If the property is not specified the deserialization of java objects
+ * from the {@code javaSerializedData}, the {@code javaRemoteLocation}, or {@code javaReferenceAddress}
+ * attributes is not allowed.
* </li>
* <li>{@systemProperty jdk.jndi.object.factoriesFilter}:
* <br>The value of this system property defines a filter used by
* the JNDI runtime implementation to control the set of object factory classes which will
* be allowed to instantiate objects from object references returned by naming/directory systems.
- csr of
-
JDK-8290367 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
- Closed