This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push: new 4ba1769 Add option from JAAS to the JNDI realm 4ba1769 is described below commit 4ba17698d324f4d0d8565a78021c09d1a33e5cf1 Author: remm <r...@apache.org> AuthorDate: Tue Oct 20 11:21:36 2020 +0200 Add option from JAAS to the JNDI realm JNDI connections can allocate things and resources such as thread, this can avoid classloader leaking. --- java/org/apache/catalina/realm/JNDIRealm.java | 36 +++++++++++++++++++++++++++ webapps/docs/changelog.xml | 5 ++++ webapps/docs/config/realm.xml | 7 ++++++ 3 files changed, 48 insertions(+) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index 30527c4..3d952c0 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -490,6 +490,14 @@ public class JNDIRealm extends RealmBase { protected int connectionPoolSize = 1; + /** + * Whether to use context ClassLoader or default ClassLoader. + * True means use context ClassLoader, and True is the default + * value. + */ + protected boolean useContextClassLoader = true; + + // ------------------------------------------------------------- Properties public boolean getForceDnHexEscape() { @@ -1246,6 +1254,26 @@ public class JNDIRealm extends RealmBase { return clazz.getConstructor().newInstance(); } + /** + * Sets whether to use the context or default ClassLoader. + * True means use context ClassLoader. + * + * @param useContext True means use context ClassLoader + */ + public void setUseContextClassLoader(boolean useContext) { + useContextClassLoader = useContext; + } + + /** + * Returns whether to use the context or default ClassLoader. + * True means to use the context ClassLoader. + * + * @return The value of useContextClassLoader + */ + public boolean isUseContextClassLoader() { + return useContextClassLoader; + } + // ---------------------------------------------------------- Realm Methods /** @@ -2487,7 +2515,12 @@ public class JNDIRealm extends RealmBase { * @throws NamingException if a directory server error occurs */ protected void open(JNDIConnection connection) throws NamingException { + ClassLoader ocl = null; try { + if (!isUseContextClassLoader()) { + ocl = Thread.currentThread().getContextClassLoader(); + Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader()); + } // Ensure that we have a directory context available connection.context = createDirContext(getDirectoryContextEnvironment()); } catch (Exception e) { @@ -2504,6 +2537,9 @@ public class JNDIRealm extends RealmBase { // reset it in case the connection times out. // the primary may come back. connectionAttempt = 0; + if (!isUseContextClassLoader()) { + Thread.currentThread().setContextClassLoader(ocl); + } } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 1313b0c..db32630 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -75,6 +75,11 @@ <code>ErrorReportValve</code> that returns response as JSON instead of HTML. (kfujino) </add> + <fix> + JNDIRealm connections should only be created with the container + classloader as the thread context classloader, just like for the JAAS + realm. (remm) + </fix> </changelog> </subsection> <subsection name="Coyote"> diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index 628b186..eaa8872 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -508,6 +508,13 @@ specified, the default value of <code>302</code> is used.</p> </attribute> + <attribute name="useContextClassLoader" required="false"> + <p>Instructs JNDIRealm to use the context class loader when opening the + connection for the JNDI provider. The default value is + <code>true</code>. To load classes using the container's classloader, + specify <code>false</code>.</p> + </attribute> + <attribute name="useDelegatedCredential" required="false"> <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated credentials for the user may be available. If such credentials are --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org