-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
medium
-
Applications that rely on deserialization of Java objects or reconstruction of RMI stubs from LDAP attributes (RFC 2713) would need to set the 'com.sun.jndi.ldap.object.trustSerialData' system property to 'true'.
-
System or security property
-
JDK
Summary
Change the default value of the com.sun.jndi.ldap.object.trustSerialData
system property to "false". This is the only change for the JDK Update CSRs. Unlike the parent CSR, extending the scope of the com.sun.jndi.ldap.object.trustSerialData
system property is already implemented in the JDK update releases and isn't required.
Problem
The LDAP Naming Service Provider uses the "com.sun.jndi.ldap.object.trustSerialData"
system property to control the reconstruction of Java objects from LDAP attributes. By default, the reconstruction is enabled.
Solution
The default value of the "com.sun.jndi.ldap.object.trustSerialData"
property will be changed to "false". This disables the deserialization of Java objects from LDAP attributes by default. This property can be switched back to "true" by applications to re-enable deserialization from the "javaSerializedData"
, "javaRemoteLocation"
, and "javaReferenceAddress"
attributes. Note that deserialization from these attributes has been permanently
disabled in JDK 24.
Specification
The proposed change does not introduce any modifications to the existing specifications. However, the default value of the "com.sun.jndi.ldap.object.trustSerialData"
system property is updated.
A release note is planned to document the change.
- csr of
-
JDK-8347034 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
-
- Resolved
-
-
JDK-8347035 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
-
- Resolved
-
-
JDK-8347036 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
-
- Resolved
-