> I found that disabling the OpenLdap pool option on the deployerconfigcontext > solves the problem: > > ... > <bean id="OpenLdapContextSource" > class="org.springframework.ldap.core.support.LdapContextSource"> > <property name="pooled" value="false"/> > ...
You should _never_ use JNDI pooling, enabled by the pooled attribute, for authentication. That may cause the authenticated state of one connection to be inherited by a subsequent connection for a different user, thus allowing the former credentials to be used instead of the current ones. This would allow impersonation attacks. Formerly, when we wrote the custom AuthenticatedLdapContextSource subclass, we explicitly overwrote the pooled property value so this wasn't possible. Perhaps we need some big red letters somewhere in our documentation that indicates _not_ to do this with the Spring LdapContextSource class that we recommend using currently. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
