Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: 7.3.8.GA
Component/s: Security
Labels:
None

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Release Note Text:
Undefined
Target Release:

7.3.z.GA
Workaround Description:

Hide

Use the configuration from elytron as described in the documentation section Database Security, sub-section Secure a Datasource using Kerberos and follow the elytron points (not legacy security).

In general elytron is the recommended setup as legacy security is deprecated in EAP 7.

Show
Use the configuration from elytron as described in the documentation section Database Security , sub-section Secure a Datasource using Kerberos and follow the elytron points (not legacy security). In general elytron is the recommended setup as legacy security is deprecated in EAP 7.
Steps to Reproduce:
Hide

Simple session bean method that retrieves and (automatically - using try-with-resources) returns a connection:

public void test() { log.info("---> test started."); try { log.info("------> DataSource.getConnection() ..."); try (Connection connection = datasource.getConnection()) { log.info("------> DataSource.getConnection() returned " + connection); } } catch (Throwable t) { log.log(Level.SEVERE, t.getMessage(), t); } finally { log.info("---> test completed."); } }

See client code in description.
Show
Simple session bean method that retrieves and (automatically - using try-with-resources) returns a connection: public void test() { log.info( "---> test started." ); try { log.info( "------> DataSource.getConnection() ..." ); try (Connection connection = datasource.getConnection()) { log.info( "------> DataSource.getConnection() returned " + connection); } } catch (Throwable t) { log.log(Level.SEVERE, t.getMessage(), t); } finally { log.info( "---> test completed." ); } } See client code in description.
Market:

SFDC Cases Counter:
SFDC Cases Links:

Using legacy (rather than Elytron) security configuration for Kerberos connectivity to SQL Server.

In a single session of an EJB client, repeatedly invoking a remote EJB remotely that retrieves and uses a Kerberos authenticated database connection during its execution.

        ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();
        ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();
        ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();

Observed that each remote invocation results in creation of a different/new database connection (e.g. 3 are created during the 3 executions above).

Using a Byteman rule like the below, verified that the issue relates to creation of a new sub-pool (mcpPools.keySet().size() increases) for each remote invocation.

RULE org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool
CLASS org.jboss.jca.core.connectionmanager.pool.AbstractPool
METHOD getManagedConnectionPool
AT ENTRY
IF true
DO System.out.println("[BMAN DEBG] mcpPools.get(key) [keySet.size=" + $0.mcpPools.keySet().size() + "] => " + $0.mcpPools.get($1));
ENDRULE

Unable to reproduce the same issue when using Elytron or when using legacy security with EJB client 2.1.8 (so issue seems to have been introduced sometime between 2.1.8 and 4.0.9).

clones

JBEAP-22261 [GSS](7.4.z) WFLY-15038 - Kerberos authenticated database connections (e.g. to SQL Server) not reusable when using legacy security and remote EJBs

Verified

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2021/07/22 4:54 PM

Updated:: 2021/10/28 4:08 AM

Resolved:: 2021/10/28 4:08 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates