Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
The LDAPLoginModule supports connection pooling, but there have been reports of weird behavior with pooling vs. without. For example, with pooling once a login failure occurs subsequent login attempts also fail - even if credentials are valid. However, without pooling this behavior is never seen.
Upon further investigation the Oracle documentation says this:
Pooled connections are intended to be reused. Therefore, if you plan to perform operations on a Context instance that might alter the underlying connection's state, then you should not use connection pooling for that Context instance. For example, if you plan to invoke the Start TLS extended operation on a Context instance, or plan to change security-related properties (such as "java.naming.security.principal" or "java.naming.security.protocol") after the initial context has been created, you should not use connection pooling for that Context instance because the LDAP provider does not track any such state changes. If you use connection pooling in such situations, you might be compromising the security of your application.
The LDAPLoginModule does, in fact, modify the java.naming.security.principal of the Context (i.e. in the bindUser method). Although the Context is immediately reset to the original values (ostensibly restoring normal pool behavior) the pooling functionality should be removed in an abundance of caution.
Attachments
Issue Links
- links to
