Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-15038

Kerberos authenticated database connections (e.g. to SQL Server) not reusable when using legacy security and remote EJBs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 24.0.0.Final
    • Security
    • None
    • Hide

      Simple session bean method that retrieves and (automatically - using try-with-resources) returns a connection:

              public void test() {
                log.info("---> test started.");

                try {
                        log.info("------> DataSource.getConnection() ...");
                        try (Connection connection = datasource.getConnection()) {
                                log.info("------> DataSource.getConnection() returned " + connection);
                        }
                } catch (Throwable t) {
                        log.log(Level.SEVERE, t.getMessage(), t);
                } finally {
                        log.info("---> test completed.");
                }
        }

      See client code in description.

      Show
      Simple session bean method that retrieves and (automatically - using try-with-resources) returns a connection: public void test() { log.info( "---> test started." ); try { log.info( "------> DataSource.getConnection() ..." ); try (Connection connection = datasource.getConnection()) { log.info( "------> DataSource.getConnection() returned " + connection); } } catch (Throwable t) { log.log(Level.SEVERE, t.getMessage(), t); } finally { log.info( "---> test completed." ); } } See client code in description.
    • Undefined

    Description

      Using legacy (rather than Elytron) security configuration for Kerberos connectivity to SQL Server.

      In a single session of an EJB client, repeatedly invoking a remote EJB remotely that retrieves and uses a Kerberos authenticated database connection during its execution.

              ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();
        ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();
        ((ISession) ctx.lookup("java:jboss-eap-test/SessionBean!support.jboss.ejb.session.remote.ISession")).test();

      Observed that each remote invocation results in creation of a different/new database connection (e.g. 3 are created during the 3 executions above).

      Using a Byteman rule like the below, verified that the issue relates to creation of a new sub-pool (mcpPools.keySet().size() increases) for each remote invocation.

      RULE org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool
CLASS org.jboss.jca.core.connectionmanager.pool.AbstractPool
METHOD getManagedConnectionPool
AT ENTRY
IF true
DO System.out.println("[BMAN DEBG] mcpPools.get(key) [keySet.size=" + $0.mcpPools.keySet().size() + "] => " + $0.mcpPools.get($1));
ENDRULE

      Unable to reproduce the same issue when using Elytron or when using legacy security with EJB client 2.1.8 (so issue seems to have been introduced sometime between 2.1.8 and 4.0.9).

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-22261 [GSS](7.4.z) WFLY-15038 - Kerberos authenticated database connections (e.g. to SQL Server) not reusable when using legacy security and remote EJBs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. EJBCLIENT-411 Kerberos authenticated database connections (e.g. to SQL Server) not reusable when using legacy security and remote EJBs

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: