[jboss-jira] [JBoss JIRA] (WFCORE-951) LDAP context resource leaks in Picketbox

Brian Stansberry (JIRA) issues at jboss.org
Fri Oct 23 14:01:01 EDT 2015 

    [ https://issues.jboss.org/browse/WFCORE-951?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13121683#comment-13121683 ] 

Brian Stansberry commented on WFCORE-951:
-----------------------------------------

What the status on this? It's an unscheduled Blocker, so it either has to be scheduled or made a non-blocker.

I suspect it's already fixed.

> LDAP context resource leaks in Picketbox
> ----------------------------------------
>
>                 Key: WFCORE-951
>                 URL: https://issues.jboss.org/browse/WFCORE-951
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.0.Beta5
>            Reporter: Josef Cacek
>            Assignee: Peter Skopek
>            Priority: Blocker
>
> There are several {{InitialLdapContext}} resource leaks in LDAP related code in PicketBox.
> The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. {{java.naming.security.principal}} login module option for the Ldap login module).
> The problematic code seems like:
> {code:java}
> InitialLdapContext ctx = null;
> try
> {
>    //...
>    ctx = new InitialLdapContext(env, null);
>    if (PicketBoxLogger.LOGGER.isTraceEnabled())
>    {
>       PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString());
>    }
>    if (bindDN != null)
>    {
>       // Rebind the ctx to the bind dn/credentials for the roles searches
>       PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN);
>       env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
>       env.put(Context.SECURITY_CREDENTIALS, bindCredential);
>       ctx = new InitialLdapContext(env, null);
>    }
>    // ...
> }
> finally
> {
>    // Close the context to release the connection
>    if (ctx != null)
>       ctx.close();
>    // ...
> }
> {code}
> The first constructed {{InitialLdapContext}} is not closed before creating the "admin context".
> The other PicketBox classes which have weak handling of the {{InitialLdapContext}} are:
> * {{LdapContextHandler}}
> * {{LdapAttributeMappingProvider}}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list