From 8e04ecdca924db7051e45e24b1fb9f66c5c15dff Mon Sep 17 00:00:00 2001 From: Sean Mullan Date: Tue, 24 Dec 2013 08:40:40 -0500 Subject: [PATCH] 8030813: Signed applet fails to load when CRLs are stored in an LDAP directory Skip JNDI application resource lookup to avoid recursive JAR validation Reviewed-by: vinnie, herrick --- .../sun/naming/internal/ResourceManager.java | 15 ++++++++++++++ .../provider/certpath/ldap/LDAPCertStore.java | 20 +++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/jdk/src/share/classes/com/sun/naming/internal/ResourceManager.java b/jdk/src/share/classes/com/sun/naming/internal/ResourceManager.java index bfee9dbfb39..0a32e2daf25 100644 --- a/jdk/src/share/classes/com/sun/naming/internal/ResourceManager.java +++ b/jdk/src/share/classes/com/sun/naming/internal/ResourceManager.java @@ -66,6 +66,14 @@ public final class ResourceManager { */ private static final String JRELIB_PROPERTY_FILE_NAME = "jndi.properties"; + /* + * Internal environment property, that when set to "true", disables + * application resource files lookup to prevent recursion issues + * when validating signed JARs. + */ + private static final String DISABLE_APP_RESOURCE_FILES = + "com.sun.naming.disable.app.resource.files"; + /* * The standard JNDI properties that specify colon-separated lists. */ @@ -224,6 +232,13 @@ public final class ResourceManager { } } + // Return without merging if application resource files lookup + // is disabled. + String disableAppRes = (String)env.get(DISABLE_APP_RESOURCE_FILES); + if (disableAppRes != null && disableAppRes.equalsIgnoreCase("true")) { + return env; + } + // Merge the above with the values read from all application // resource files. Colon-separated lists are concatenated. mergeTables((Hashtable)env, getApplicationResources()); diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java index eb20b3f704d..8f4f44d4ed4 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java @@ -50,6 +50,7 @@ import sun.security.provider.certpath.X509CertificatePair; import sun.security.util.Cache; import sun.security.util.Debug; import sun.security.x509.X500Name; +import sun.security.action.GetBooleanAction; import sun.security.action.GetPropertyAction; /** @@ -135,6 +136,14 @@ public final class LDAPCertStore extends CertStoreSpi { private final static String PROP_LIFETIME = "sun.security.certpath.ldap.cache.lifetime"; + /* + * Internal system property, that when set to "true", disables the + * JNDI application resource files lookup to prevent recursion issues + * when validating signed JARs with LDAP URLs in certificates. + */ + private final static String PROP_DISABLE_APP_RESOURCE_FILES = + "sun.security.certpath.ldap.disable.app.resource.files"; + static { String s = AccessController.doPrivileged( new GetPropertyAction(PROP_LIFETIME)); @@ -237,6 +246,17 @@ public final class LDAPCertStore extends CertStoreSpi { env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, url); + + // If property is set to true, disable application resource file lookup. + boolean disableAppResourceFiles = AccessController.doPrivileged( + new GetBooleanAction(PROP_DISABLE_APP_RESOURCE_FILES)); + if (disableAppResourceFiles) { + if (debug != null) { + debug.println("LDAPCertStore disabling app resource files"); + } + env.put("com.sun.naming.disable.app.resource.files", "true"); + } + try { ctx = new InitialDirContext(env); /*