Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-989

LDAP context resource leaks in Picketbox

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.0.ER2 (Beta)
    • 7.0.0.DR9
    • Security
    • None

      There are several InitialLdapContext resource leaks in LDAP related code in PicketBox.

      The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. java.naming.security.principal login module option for the Ldap login module).

      The problematic code seems like:

      InitialLdapContext ctx = null;
      try
      {
         //...
         ctx = new InitialLdapContext(env, null);
         if (PicketBoxLogger.LOGGER.isTraceEnabled())
         {
            PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString());
         }
      
         if (bindDN != null)
         {
            // Rebind the ctx to the bind dn/credentials for the roles searches
            PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN);
            env.setProperty(Context.SECURITY_PRINCIPAL, bindDN);
            env.put(Context.SECURITY_CREDENTIALS, bindCredential);
            ctx = new InitialLdapContext(env, null);
         }
         // ...
      }
      finally
      {
         // Close the context to release the connection
         if (ctx != null)
            ctx.close();
         // ...
      }
      

      The first constructed InitialLdapContext is not closed before creating the "admin context".

      The other PicketBox classes which have weak handling of the InitialLdapContext are:

      • LdapContextHandler
      • LdapAttributeMappingProvider

              pskopek@redhat.com Peter Skopek
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: