Summary

Change the default value of the com.sun.jndi.ldap.object.trustSerialData system property to "false". This is the only change for the JDK Update CSRs. Unlike the parent CSR, extending the scope of the com.sun.jndi.ldap.object.trustSerialData system property is already implemented in the JDK update releases and isn't required.

Problem

The LDAP Naming Service Provider uses the "com.sun.jndi.ldap.object.trustSerialData" system property to control the reconstruction of Java objects from LDAP attributes. By default, the reconstruction is enabled.

Solution

The default value of the "com.sun.jndi.ldap.object.trustSerialData" property will be changed to "false". This disables the deserialization of Java objects from LDAP attributes by default. This property can be switched back to "true" by applications to re-enable deserialization from the "javaSerializedData", "javaRemoteLocation", and "javaReferenceAddress" attributes. Note that deserialization from these attributes has been permanently disabled in JDK 24.

Specification

The proposed change does not introduce any modifications to the existing specifications. However, the default value of the "com.sun.jndi.ldap.object.trustSerialData" system property is updated.
A release note is planned to document the change.