8030813: Signed applet fails to load when CRLs are stored in an LDAP directory

Skip JNDI application resource lookup to avoid recursive JAR validation

Reviewed-by: vinnie, herrick

jdk/src/share/classes/com/sun/naming/internal/ResourceManager.java

@@ -66,6 +66,14 @@ public final class ResourceManager {
      */
     private static final String JRELIB_PROPERTY_FILE_NAME = "jndi.properties";
 
+    /*
+     * Internal environment property, that when set to "true", disables
+     * application resource files lookup to prevent recursion issues
+     * when validating signed JARs.
+     */
+    private static final String DISABLE_APP_RESOURCE_FILES =
+        "com.sun.naming.disable.app.resource.files";
+
     /*
      * The standard JNDI properties that specify colon-separated lists.
      */
@@ -224,6 +232,13 @@ public final class ResourceManager {
             }
         }
 
+        // Return without merging if application resource files lookup
+        // is disabled.
+        String disableAppRes = (String)env.get(DISABLE_APP_RESOURCE_FILES);
+        if (disableAppRes != null && disableAppRes.equalsIgnoreCase("true")) {
+            return env;
+        }
+
         // Merge the above with the values read from all application
         // resource files.  Colon-separated lists are concatenated.
         mergeTables((Hashtable<Object, Object>)env, getApplicationResources());

jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java

@@ -50,6 +50,7 @@ import sun.security.provider.certpath.X509CertificatePair;
 import sun.security.util.Cache;
 import sun.security.util.Debug;
 import sun.security.x509.X500Name;
+import sun.security.action.GetBooleanAction;
 import sun.security.action.GetPropertyAction;
 
 /**
@@ -135,6 +136,14 @@ public final class LDAPCertStore extends CertStoreSpi {
     private final static String PROP_LIFETIME =
                             "sun.security.certpath.ldap.cache.lifetime";
 
+    /*
+     * Internal system property, that when set to "true", disables the
+     * JNDI application resource files lookup to prevent recursion issues
+     * when validating signed JARs with LDAP URLs in certificates.
+     */
+    private final static String PROP_DISABLE_APP_RESOURCE_FILES =
+        "sun.security.certpath.ldap.disable.app.resource.files";
+
     static {
         String s = AccessController.doPrivileged(
                                 new GetPropertyAction(PROP_LIFETIME));
@@ -237,6 +246,17 @@ public final class LDAPCertStore extends CertStoreSpi {
         env.put(Context.INITIAL_CONTEXT_FACTORY,
                 "com.sun.jndi.ldap.LdapCtxFactory");
         env.put(Context.PROVIDER_URL, url);
+
+        // If property is set to true, disable application resource file lookup.
+        boolean disableAppResourceFiles = AccessController.doPrivileged(
+            new GetBooleanAction(PROP_DISABLE_APP_RESOURCE_FILES));
+        if (disableAppResourceFiles) {
+            if (debug != null) {
+                debug.println("LDAPCertStore disabling app resource files");
+            }
+            env.put("com.sun.naming.disable.app.resource.files", "true");
+        }
+
         try {
             ctx = new InitialDirContext(env);
             /*