com.sun.jndi.ldap.object.trustSerialData Java System Property

Default Value

true or false

As of Java 20 the default value is false:

If the property is not specified the deserialization of java objects from the javaSerializedData, the javaRemoteLocation, or javaReferenceAddress attributes is not allowed.
via: java.naming module summary in Java 20

Overview of com.sun.jndi.ldap.object.trustSerialData

Java's JNDI LDAP provider implements RFC 2713 (Schema for Representing Java Objects in an LDAP Directory) and the javaRemoteLocation LDAP attribute (RMI remote object deserialization). These implementation bindings can allow for the deserialization of Java objects.

Related Properties

• jdk.jndi.object.factoriesFilter - allows you to specify a filter pattern similar to those accepted by the jdk.serialFilter system property. The filter pattern controls which classes may instantiate objects via object references from java naming or directory interfaces (JNDI).
• jdk.jndi.ldap.object.factoriesFilter - similar to jdk.jndi.object.factoriesFilter, but applies only to the JNDI LDAP Provider.
• jdk.jndi.rmi.object.factoriesFilter - similar to jdk.jndi.object.factoriesFilter, but applies only to the JNDI RMI Provider.

Security Tip

Avoid setting com.sun.jndi.ldap.object.trustSerialData to true, as it may open you up to security risk.

References

• Default value changed from true to false
• RFC 2713

Supported Since

Java has supported the com.sun.jndi.ldap.object.trustSerialData system property since Java 8u311, Java 11.0.13 and Java 17.0.1.

Setting com.sun.jndi.ldap.object.trustSerialData on Startup

You can set the com.sun.jndi.ldap.object.trustSerialData java system property during startup of the java runtime using the -D command line argument:

java -Dcom.sun.jndi.ldap.object.trustSerialData=false MyAppMain

You may also be able to specify com.sun.jndi.ldap.object.trustSerialData via the JAVA_TOOL_OPTIONS environment variable:

JAVA_TOOL_OPTIONS=-Dcom.sun.jndi.ldap.object.trustSerialData=false

Setting / Reading com.sun.jndi.ldap.object.trustSerialData at Runtime

You can set com.sun.jndi.ldap.object.trustSerialData at runtime with the following Java code:

System.setProperty("com.sun.jndi.ldap.object.trustSerialData", "false");

WARNING: Depending on the property and JVM version using setProperty may or may not work if the JDK Java class that uses this variable has already been loaded. The value of the com.sun.jndi.ldap.object.trustSerialData system property may be cached within an internal private static variable of the implementing class.

To read the value of com.sun.jndi.ldap.object.trustSerialData at runtime, you can use this Java code:

String propertyValue = System.getProperty("com.sun.jndi.ldap.object.trustSerialData");
if (propertyValue != null) {
    System.out.println("com.sun.jndi.ldap.object.trustSerialData = " + propertyValue);
} else {
    System.out.println("com.sun.jndi.ldap.object.trustSerialData was null");
}