-
Sub-task
-
Resolution: Unresolved
-
P4
-
8u461, 11.0.28-oracle, 17.0.16-oracle
-
generic
-
generic
In this release, new system and security properties are introduced to allow more granular control over the set of JNDI object factories allowed to reconstruct Java objects from JNDI/LDAP and JNDI/RMI contexts:
* The new `jdk.jndi.ldap.object.factoriesFilter` property specifies which object factory classes are allowed to instantiate Java objects from object references returned by JNDI/LDAP contexts. Its default value only allows object factories defined in the `java.naming` module.
* The new `jdk.jndi.rmi.object.factoriesFilter` property specifies which object factory classes are allowed to instantiate Java objects from object references returned by JNDI/RMI contexts. Its default value only allows object factories defined in the `jdk.rmi` module.
These new factory filter properties complement the `jdk.jndi.object.factoriesFilter` global factories filter property by determining if a specific object factory is permitted to instantiate objects for the LDAP or RMI protocols used in JNDI.
An application depending on custom object factories to recreate Java objects from JNDI/LDAP or JNDI/RMI contexts will need to supply a security or system property with an updated value to allow such third-party object factories to reconstruct LDAP or RMI objects. If usage of a factory is denied, the lookup operation may result in a plain instance of `javax.naming.Reference` instance returned, which may lead to a `ClassCastException` being thrown in the application.
* The new `jdk.jndi.ldap.object.factoriesFilter` property specifies which object factory classes are allowed to instantiate Java objects from object references returned by JNDI/LDAP contexts. Its default value only allows object factories defined in the `java.naming` module.
* The new `jdk.jndi.rmi.object.factoriesFilter` property specifies which object factory classes are allowed to instantiate Java objects from object references returned by JNDI/RMI contexts. Its default value only allows object factories defined in the `jdk.rmi` module.
These new factory filter properties complement the `jdk.jndi.object.factoriesFilter` global factories filter property by determining if a specific object factory is permitted to instantiate objects for the LDAP or RMI protocols used in JNDI.
An application depending on custom object factories to recreate Java objects from JNDI/LDAP or JNDI/RMI contexts will need to supply a security or system property with an updated value to allow such third-party object factories to reconstruct LDAP or RMI objects. If usage of a factory is denied, the lookup operation may result in a plain instance of `javax.naming.Reference` instance returned, which may lead to a `ClassCastException` being thrown in the application.