[jira] [Commented] (JCR-5135) Make JNDI support opt-in

Julian Reschke (Jira) Mon, 14 Jul 2025 13:48:03 -0700


    [ 
https://issues.apache.org/jira/browse/JCR-5135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18005243#comment-18005243
 ]


Julian Reschke commented on JCR-5135:
-------------------------------------

trunk: (2.23.2-beta) 
[7a319093c|https://github.com/apache/jackrabbit/commit/7a319093c9864111bb86c9895148e580e0f8259a]
2.22: 
[c6335271e|https://github.com/apache/jackrabbit/commit/c6335271e95f3a660962212584dc19e6f23969b0]


> Make JNDI support opt-in
> ------------------------
>
>                 Key: JCR-5135
>                 URL: https://issues.apache.org/jira/browse/JCR-5135
>             Project: Jackrabbit Content Repository
>          Issue Type: Task
>          Components: jackrabbit-jcr-commons
>            Reporter: Julian Reschke
>            Assignee: Manfred Baedke
>            Priority: Major
>              Labels: candidate_jackrabbit_2.22
>             Fix For: 2.24, 2.23.2
>
>
> Support for JNDI is inherently dangerous, because it can load classes from 
> another location. Users of the method might not be aware when using it and 
> just pass parameter values without
> sanitization. It would probably also be good to add a warning to the method 
> and state that parameters should come from configuration and not passed in 
> from an end user.
> (ack [~mreutegg] )



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (JCR-5135) Make JNDI support opt-in

Reply via email to