-
Type:
CSR
-
Resolution: Unresolved
-
Priority:
P4
-
Component/s: core-libs
-
None
-
behavioral
-
medium
-
-
Other
-
JDK
Summary
The default LDAP Naming Service Provider implementation in the JDK is updated to verify that the class configured through the java.naming.ldap.factory.socket JNDI environment property extends the javax.net.SocketFactory class and implements the following method:
public static SocketFactory getDefault() {...}
Problem
The default LDAP Naming Service Provider implementation in the JDK specifies the java.naming.ldap.factory.socket JNDI environment property as follows:
java.naming.ldap.factory.socket:
The value of this environment property specifies the fully qualified class name of the socket factory used by the LDAP provider. This class must implement the SocketFactory abstract class and provide an implementation of the static "getDefault()" method that returns an instance of the socket factory. By default the environment property is not set.
However, the implementation in the JDK does not apply these checks against the class constructed out of the configured environment property value. As a result, if this property was configured to a class which isn't of type javax.net.SocketFactory, the implementation in the JDK ends up calling the getDefault() method on it, if there was one. Furthermore, the implementation currently has no checks on the method itself and it can end up invoking a getDefault() method which isn't declared on the configured class but is present on some class in the hierarchy of that class. Both of these behaviours are incorrect and go against the specification of this environment property.
Solution
The implementation in the JDK is enhanced to do the necessary type and method checks against the class configured through the java.naming.ldap.factory.socket environment property. If the configured class fails these validation checks, then the default LDAP Naming Service Provider implementation in the JDK will now raise a javax.naming.ConfigurationException, which is a javax.naming.NamingException. The specification of the java.naming.ldap.factory.socket environment property too has been clarified to explicitly state the expected method signature of the getDefault() method.
Specification
No actual specification change - this is editorial only.
diff --git a/src/java.naming/share/classes/module-info.java b/src/java.naming/share/classes/module-info.java
index 5a731000194c9..30b33594d53af 100644
--- a/src/java.naming/share/classes/module-info.java
+++ b/src/java.naming/share/classes/module-info.java
...
* <li>{@code java.naming.ldap.factory.socket}:
* <br>The value of this environment property specifies the fully
* qualified class name of the socket factory used by the LDAP provider.
* This class must implement the {@link javax.net.SocketFactory} abstract class
- * and provide an implementation of the static "getDefault()" method that
- * returns an instance of the socket factory. By default the environment
+ * and provide an implementation of the {@code public static SocketFactory getDefault()}
+ * method that returns an instance of the socket factory. By default the environment
* property is not set.
- csr of
-
JDK-8049619 Custom socket factory is not type checked against javax.net.SocketFactory
-
- Open
-
-
-
- Open
-