[jboss-jira] [JBoss JIRA] (WFCORE-951) LDAP context resource leaks in Picketbox
Josef Cacek (JIRA)
issues at jboss.org
Thu Sep 3 05:45:05 EDT 2015
Josef Cacek created WFCORE-951:
----------------------------------
Summary: LDAP context resource leaks in Picketbox
Key: WFCORE-951
URL: https://issues.jboss.org/browse/WFCORE-951
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Josef Cacek
Assignee: Darran Lofthouse
Priority: Blocker
There are several {{InitialLdapContext}} resource leaks in LDAP related code in PicketBox.
The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. {{java.naming.security.principal}} login module option for the Ldap login module).
The problematic code seems like:
{code:java}
InitialLdapContext ctx = null;
try
{
//...
ctx = new InitialLdapContext(env, null);
if (PicketBoxLogger.LOGGER.isTraceEnabled())
{
PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString());
}
if (bindDN != null)
{
// Rebind the ctx to the bind dn/credentials for the roles searches
PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN);
env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
env.put(Context.SECURITY_CREDENTIALS, bindCredential);
ctx = new InitialLdapContext(env, null);
}
// ...
}
finally
{
// Close the context to release the connection
if (ctx != null)
ctx.close();
// ...
}
{code}
The first constructed {{InitialLdapContext}} is not closed before creating the "admin context".
The other PicketBox classes which have weak handling of the {{InitialLdapContext}} are:
* {{LdapContextHandler}}
* {{LdapAttributeMappingProvider}}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list