[jboss-jira] [JBoss JIRA] (WFCORE-951) LDAP context resource leaks in Picketbox

Brian Stansberry (JIRA) issues at jboss.org
Mon Jan 4 11:38:00 EST 2016 

     [ https://issues.jboss.org/browse/WFCORE-951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Stansberry resolved WFCORE-951.
-------------------------------------
    Release Notes Text: I'm going to resolve this against 2.0.5 although it may have been an early 2.0.x release. The related JBEAP issue is verified and the code for this is in sync between the branches so for the JBEAP to be fixed this one must be as well.
         Fix Version/s: 2.0.5.Final
            Resolution: Done


> LDAP context resource leaks in Picketbox
> ----------------------------------------
>
>                 Key: WFCORE-951
>                 URL: https://issues.jboss.org/browse/WFCORE-951
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.0.Beta5
>            Reporter: Josef Cacek
>            Assignee: Peter Skopek
>            Priority: Blocker
>             Fix For: 2.0.5.Final
>
>
> There are several {{InitialLdapContext}} resource leaks in LDAP related code in PicketBox.
> The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. {{java.naming.security.principal}} login module option for the Ldap login module).
> The problematic code seems like:
> {code:java}
> InitialLdapContext ctx = null;
> try
> {
>    //...
>    ctx = new InitialLdapContext(env, null);
>    if (PicketBoxLogger.LOGGER.isTraceEnabled())
>    {
>       PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString());
>    }
>    if (bindDN != null)
>    {
>       // Rebind the ctx to the bind dn/credentials for the roles searches
>       PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN);
>       env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
>       env.put(Context.SECURITY_CREDENTIALS, bindCredential);
>       ctx = new InitialLdapContext(env, null);
>    }
>    // ...
> }
> finally
> {
>    // Close the context to release the connection
>    if (ctx != null)
>       ctx.close();
>    // ...
> }
> {code}
> The first constructed {{InitialLdapContext}} is not closed before creating the "admin context".
> The other PicketBox classes which have weak handling of the {{InitialLdapContext}} are:
> * {{LdapContextHandler}}
> * {{LdapAttributeMappingProvider}}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list