-
Bug
-
Resolution: Done
-
Major
-
7.0.0.DR9
-
None
There are several InitialLdapContext resource leaks in LDAP related code in PicketBox.
The most critical is IMO leak in `LdapLoginModule.createLdapInitContext()` method. LDAP connections will stay open for customers who use administrators bind (i.e. java.naming.security.principal login module option for the Ldap login module).
The problematic code seems like:
InitialLdapContext ctx = null; try { //... ctx = new InitialLdapContext(env, null); if (PicketBoxLogger.LOGGER.isTraceEnabled()) { PicketBoxLogger.LOGGER.traceSuccessfulLogInToLDAP(ctx.toString()); } if (bindDN != null) { // Rebind the ctx to the bind dn/credentials for the roles searches PicketBoxLogger.LOGGER.traceRebindWithConfiguredPrincipal(bindDN); env.setProperty(Context.SECURITY_PRINCIPAL, bindDN); env.put(Context.SECURITY_CREDENTIALS, bindCredential); ctx = new InitialLdapContext(env, null); } // ... } finally { // Close the context to release the connection if (ctx != null) ctx.close(); // ... }
The first constructed InitialLdapContext is not closed before creating the "admin context".
The other PicketBox classes which have weak handling of the InitialLdapContext are:
- LdapContextHandler
- LdapAttributeMappingProvider
- is cloned by
-
WFCORE-951 LDAP context resource leaks in Picketbox
- Resolved
- is incorporated by
-
JBEAP-1967 (7.0.z) Upgrade PicketBox from 4.9.7 to 4.9.4.Final
- Closed