LDAP context resource leaks in Picketbox ---------------------------------------- Key: WFCORE-951 URL: https://issues.jboss.org/browse/WFCORE-951 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 2.0.0.Beta5 Reporter: Josef Cacek Assignee: Peter Skopek Priority: Blocker Fix For: 2.0.5.Final There are several {{InitialLdapContext}} resource leaks in LDAP related code in PicketBox. The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. {{java.naming.security.principal}} login module option for the Ldap login module). The problematic code seems like: {code:java} InitialLdapContext ctx = null; try { //... ctx = new InitialLdapContext(env, null); if (PicketBoxLogger.LOGGER.isTraceEnabled()) { PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString()); } if (bindDN != null) { // Rebind the ctx to the bind dn/credentials for the roles searches PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN); env.setProperty(Context.SECURITY_PRINCIPAL, bindDN); env.put(Context.SECURITY_CREDENTIALS, bindCredential); ctx = new InitialLdapContext(env, null); } // ... } finally { // Close the context to release the connection if (ctx != null) ctx.close(); // ... } {code} The first constructed {{InitialLdapContext}} is not closed before creating the "admin context". The other PicketBox classes which have weak handling of the {{InitialLdapContext}} are: * {{LdapContextHandler}} * {{LdapAttributeMappingProvider}}