Steven, There is a unit test for LdapPasswordSynchronizationConfiguration (found in the same directory as the file you modified). It may not provide a test of @RefreshScope, but you may be able to verify that the correct beans are created. There are also functional tests in ci/tests/ldap that may provide some guidance. I see nothing related to spring.
Ray ________________________________ From: [email protected] <[email protected]> on behalf of steven gladwell <[email protected]> Sent: December 9, 2025 11:22 To: CAS Community <[email protected]> Subject: [cas-user] LDAP Connection Leak During @RefreshScope Refresh - PRs #8098 & #8099 You don't often get email from [email protected]. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Hello CAS Community, I've discovered and fixed an LDAP connection leak issue affecting CAS 7.3.x and master that occurs during Spring @RefreshScope refresh cycles (triggered via /actuator/refresh endpoint). Problem: When @RefreshScope bean recreation occurs, LdapAuthenticationHandler instances wrapped in BeanContainer are not properly destroyed. Spring only manages the BeanContainer lifecycle, not the handlers inside it. This prevents LdapAuthenticationHandler.destroy() from being called, leaving LDAP connection pools open and leaking threads with each refresh cycle. Validation: I confirmed this using VisualVM thread profiling: - Before fix: Thread count increases with each /actuator/refresh call, and live thread viewer shows multiple ldap threads. After fix: Thread count remains flat, live thread viewer does not show multiple, concurrent ldap threads - connections properly closed Solution: LdapAuthenticationPlanConfiguration now implements DisposableBean to explicitly track and destroy LDAP handlers during bean destruction. This follows the same pattern already used by LdapHttpSecurityCasWebSecurityConfigurer in the same file (line 139). Pull Requests: Master: https://github.com/apereo/cas/pull/8099 - 7.3.x backport: https://github.com/apereo/cas/pull/8098 Bot Auto-Closed: Both PRs were auto-closed by the bot requesting unit tests. However, this is a Spring lifecycle management issue that's difficult to test in isolation because: 1. Unit tests don't exercise Spring Cloud's @RefreshScope proxy destruction behavior 2. The issue requires actual LDAP connection pool behavior over multiple refresh cycles 3. The existing precedent (LdapHttpSecurityCasWebSecurityConfigurer.destroy()) in the same file also has no dedicated lifecycle tests Request for Feedback: We'd appreciate maintainer review of these PRs. Happy to discuss the testing approach or make any changes needed. If there's a practical way to add lifecycle tests for @RefreshScope behavior, we're open to implementing that. Thank you for your consideration. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b54e4dba-f1d9-418a-9b93-b0b7e1758c76n%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b54e4dba-f1d9-418a-9b93-b0b7e1758c76n%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB008131CBAE2CBE426A9ABBB0CEA3A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
