Bug ID: JDK-8338536 Permanently disable remote code downloading in JNDI

Type: Enhancement
Component: core-libs
Sub-Component: javax.naming
Affected Version: 24

Priority: P4
Status: In Progress
Resolution: Unresolved

Submitted: 2024-08-18
Updated: 2024-11-15

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 24
24Unresolved

Remote code downloading in JNDI has been disabled by default since 8u121.
Two system properties were introduced at the time to allow to selectively reenable remote code downloading in JNDI/LDAP and JNDI/RMI.

With the deprecation and upcoming removal of the SecurityManager (see JEP 411: https://openjdk.org/jeps/411), this enhancement proposes to remove these two properties and permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI.

The two properties proposed for removal are `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.ldap.object.trustURLCodebase`.

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/22154 Date: 2024-11-15 17:03:50 +0000

15-11-2024

CSR :	JDK-8338537 - Permanently disable remote code downloading in JNDI
Relates :	JDK-8264713 - JEP 411: Deprecate the Security Manager for Removal