Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8338536

Permanently disable remote code downloading in JNDI

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P4 P4
    • 24
    • 24
    • core-libs

      Remote code downloading in JNDI has been disabled by default since 8u121.
      Two system properties were introduced at the time to allow to selectively reenable remote code downloading in JNDI/LDAP and JNDI/RMI.

      With the deprecation and upcoming removal of the SecurityManager (see JEP 411: https://openjdk.org/jeps/411), this enhancement proposes to remove these two properties and permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI.

      The two properties proposed for removal are `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.ldap.object.trustURLCodebase`.

            aefimov Aleksej Efimov
            dfuchs Daniel Fuchs
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: