8030813: Signed applet fails to load when CRLs are stored in an LDAP directory

Summary: Skip JNDI application resource lookup to avoid recursive JAR validation Reviewed-by: vinnie, herrick

8030813: Signed applet fails to load when CRLs are stored in an LDAP directory
Summary: Skip JNDI application resource lookup to avoid recursive JAR validation Reviewed-by: vinnie, herrick
305e4f6b · mullan · 1bfce010 · 305e4f6b · 305e4f6b
2 changed file
--- a/src/share/classes/com/sun/naming/internal/ResourceManager.java
+++ b/src/share/classes/com/sun/naming/internal/ResourceManager.java
@@ -66,6 +66,14 @@ public final class ResourceManager {
     */
    private static final String JRELIB_PROPERTY_FILE_NAME = "jndi.properties";

+    /*
+     * Internal environment property, that when set to "true", disables
+     * application resource files lookup to prevent recursion issues
+     * when validating signed JARs.
+     */
+    private static final String DISABLE_APP_RESOURCE_FILES =
+        "com.sun.naming.disable.app.resource.files";
+
    /*
     * The standard JNDI properties that specify colon-separated lists.
     */
@@ -224,6 +232,13 @@ public final class ResourceManager {
            }
        }

+        // Return without merging if application resource files lookup
+        // is disabled.
+        String disableAppRes = (String)env.get(DISABLE_APP_RESOURCE_FILES);
+        if (disableAppRes != null && disableAppRes.equalsIgnoreCase("true")) {
+            return env;
+        }
+
        // Merge the above with the values read from all application
        // resource files.  Colon-separated lists are concatenated.
        mergeTables((Hashtable<Object, Object>)env, getApplicationResources());

--- a/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java
+++ b/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java
@@ -50,6 +50,7 @@ import sun.security.provider.certpath.X509CertificatePair;
 import sun.security.util.Cache;
 import sun.security.util.Debug;
 import sun.security.x509.X500Name;
+import sun.security.action.GetBooleanAction;
 import sun.security.action.GetPropertyAction;

 /**
@@ -135,6 +136,14 @@ public final class LDAPCertStore extends CertStoreSpi {
    private final static String PROP_LIFETIME =
                            "sun.security.certpath.ldap.cache.lifetime";

+    /*
+     * Internal system property, that when set to "true", disables the
+     * JNDI application resource files lookup to prevent recursion issues
+     * when validating signed JARs with LDAP URLs in certificates.
+     */
+    private final static String PROP_DISABLE_APP_RESOURCE_FILES =
+        "sun.security.certpath.ldap.disable.app.resource.files";
+
    static {
        String s = AccessController.doPrivileged(
                                new GetPropertyAction(PROP_LIFETIME));
@@ -237,6 +246,17 @@ public final class LDAPCertStore extends CertStoreSpi {
        env.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, url);
+
+        // If property is set to true, disable application resource file lookup.
+        boolean disableAppResourceFiles = AccessController.doPrivileged(
+            new GetBooleanAction(PROP_DISABLE_APP_RESOURCE_FILES));
+        if (disableAppResourceFiles) {
+            if (debug != null) {
+                debug.println("LDAPCertStore disabling app resource files");
+            }
+            env.put("com.sun.naming.disable.app.resource.files", "true");
+        }
+
        try {
            ctx = new InitialDirContext(env);
            /*