Bug ID: JDK-8338536 Permanently disable remote code downloading in JNDI

Type: Enhancement
Component: core-libs
Sub-Component: javax.naming
Affected Version: 24

Priority: P4
Status: Resolved
Resolution: Fixed

Submitted: 2024-08-18
Updated: 2024-11-28
Resolved: 2024-11-21

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 24
24 b26Fixed

Remote code downloading in JNDI has been disabled by default since 8u121.
Two system properties were introduced at the time to allow to selectively reenable remote code downloading in JNDI/LDAP and JNDI/RMI.

With the deprecation and upcoming removal of the SecurityManager (see JEP 411: https://openjdk.org/jeps/411), this enhancement proposes to remove these two properties and permanently disable remote code downloading in JNDI/LDAP and JNDI/RMI.

The two properties proposed for removal are `com.sun.jndi.rmi.object.trustURLCodebase` and `com.sun.jndi.ldap.object.trustURLCodebase`.

Changeset: cee74f9e Branch: master Author: Aleksei Efimov <aefimov@openjdk.org> Date: 2024-11-21 20:55:02 +0000 URL: https://git.openjdk.org/jdk/commit/cee74f9e677e74deda72638bcc0a3e9307262938

21-11-2024

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/22154 Date: 2024-11-15 17:03:50 +0000

15-11-2024

CSR :	JDK-8338537 - Permanently disable remote code downloading in JNDI
Relates :	JDK-8264713 - JEP 411: Deprecate the Security Manager for Removal