> I take out the line <property name="pooled" value="true"/> and all works as > expected with a bind each time the rubbish credentials are used and failed > authentication...... > > Is this a bug?
I'm surprised you see only one bind with JNDI pooling enabled, but I believe we should ignore that mysterious fact for the moment. You should not use JNDI pooling for contexts used for authentication since the credentials are not cleared from the context until new credentials are bound to that context for subsequent authentications. This leaves the context in an authenticated state such that impersonation attacks are possible. While I don't believe this is a concern in practice with CAS, it's wise to avoid mixing pooling and authentication in general. This includes object pooling ala Spring PoolingContextSource, http://static.springsource.org/spring-ldap/site/apidocs/org/springframework/ldap/pool/factory/PoolingContextSource.html. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
