jdk icon indicating copy to clipboard operation
jdk copied to clipboard

Published 20 hours ago verified publisher icon openjdk

8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

Open AlekseiEfimov opened this issue 2 years ago • 6 comments

Summary of the change

This change introduces new system and security properties for specifying factory filters for the JNDI/LDAP and the JNDI/RMI JDK provider implementations.

These new properties allow more granular control over the set of object factories allowed to reconstruct Java objects from LDAP and RMI contexts.

The new factory filters are supplementing the existing jdk.jndi.object.factoriesFilter global factories filter to determine if a specific object factory is permitted to instantiate objects for the given protocol.

Links:

List of code changes

  • Implementation for two new system and security properties have been added to the com.sun.naming.internal.ObjectFactoriesFilter class
  • java.security and module-info.java files have been updated with a documentation for the new properties
  • To keep API of javax.naming.spi.NamingManager and javax.naming.spi.DirectoryManager classes unmodified a new internal com.sun.naming.internal.NamingManagerHelper class has been introduced. All getObjectInstance calls have been updated to use the new helper class.

NamingManagerHelper changes

Changes performed to construct the NamingManagerHelper class:

  • DirectoryManager.getObjectInstance -> NamingManagerHelper.getDirObjectInstance. Dependant methods were also moved to the NamingManagerHelper class
  • NamingManager.getObjectInstance -> NamingManagerHelper.getObjectInstance. Methods responsible for setting/getting object factory builder were moved to the NamingManagerHelper class too.

Test changes

New tests have been added for checking that new factory filters can be used to restrict reconstruction of Java objects from LDAP and RMI contexts:

  • LDAP protocol specific test: test/jdk/com/sun/jndi/ldap/objects/factory/LdapFactoriesFilterTest.java
  • RMI protocol specific test: test/jdk/com/sun/jndi/rmi/registry/objects/RmiFactoriesFilterTest.java Existing test/jdk/javax/naming/module/RunBasic.java test has been updated to allow test-specific factories filter used to reconstruct objects from the test LDAP server.

Testing

tier1-tier3 and JNDI regression/JCK tests not showing any failures related to this change. No failures observed for the modified regression tests.

Progress

  • [x] Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • [x] Change must not contain extraneous whitespace
  • [x] Commit message must refer to an issue
  • [ ] Change requires a CSR request to be approved

Issues

  • JDK-8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation
  • JDK-8291556: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation (CSR)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10578/head:pull/10578
$ git checkout pull/10578

Update a local copy of the PR:
$ git checkout pull/10578
$ git pull https://git.openjdk.org/jdk pull/10578/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 10578

View PR using the GUI difftool:
$ git pr show -t 10578

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10578.diff

AlekseiEfimov avatar Oct 05 '22 15:10 AlekseiEfimov

:wave: Welcome back aefimov! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

bridgekeeper[bot] avatar Oct 05 '22 15:10 bridgekeeper[bot]

@AlekseiEfimov The following labels will be automatically applied to this pull request:

  • core-libs
  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

openjdk[bot] avatar Oct 05 '22 15:10 openjdk[bot]

Webrevs

mlbridge[bot] avatar Oct 05 '22 15:10 mlbridge[bot]

I am glad to see this RFE. It looks like a big change but most of it is actually reorganisation of internal code, so thanks for explaining its making off :-) It helps a lot for the review. I have looked at the code and I believe it looks good. I don't see any alternative to the reorganisation that could make the changes smaller - so I'm OK with the proposed solution. Thanks for documenting the new properties in their respective module info, as well as in the security properties file.

I had only a cursory look at the tests but they seem comprehensive. Good work.

dfuch avatar Oct 06 '22 11:10 dfuch

I am approving on the condition to make sure that all JNDI tests (as well as tier1, tier2, tier3) are run before integrating.

dfuch avatar Oct 06 '22 11:10 dfuch

Also please get an approval from a security-libs maintainer for the changes to the security properties file before integrating.

dfuch avatar Oct 06 '22 11:10 dfuch

@AlekseiEfimov This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8290368: Introduce LDAP and RMI protocol-specific object factory filters to JNDI implementation

Reviewed-by: dfuchs, rriggs, jpai

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

openjdk[bot] avatar Oct 18 '22 21:10 openjdk[bot]

/integrate

AlekseiEfimov avatar Oct 19 '22 14:10 AlekseiEfimov

Going to push as commit d37ce4cdd18afc4facf996598f79e72aae68f4ff. Since your change was applied there have been 2 commits pushed to the master branch:

  • 21aeb9e7946fc7450ee48939944a69c8aa04bcce: 8295429: Update harfbuzz md file
  • 1d883c5312721980898f91898665b528948a985b: 8295417: Pass $AR to binutils cross-build

Your commit was automatically rebased without conflicts.

openjdk[bot] avatar Oct 19 '22 14:10 openjdk[bot]

@AlekseiEfimov Pushed as commit d37ce4cdd18afc4facf996598f79e72aae68f4ff.

:bulb: You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

openjdk[bot] avatar Oct 19 '22 14:10 openjdk[bot]