This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push: new c7a383d Add option from JAAS to the JNDI realm c7a383d is described below commit c7a383d97977dbf84017ee6ac7f62712d1a1709f Author: remm <r...@apache.org> AuthorDate: Tue Oct 20 11:21:36 2020 +0200 Add option from JAAS to the JNDI realm JNDI connections can allocate things and resources such as thread, this can avoid classloader leaking. --- java/org/apache/catalina/realm/JNDIRealm.java | 36 +++++++++++++++++++++++++++ webapps/docs/changelog.xml | 5 ++++ webapps/docs/config/realm.xml | 7 ++++++ 3 files changed, 48 insertions(+) diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java index e5d6faf..daa76bf 100644 --- a/java/org/apache/catalina/realm/JNDIRealm.java +++ b/java/org/apache/catalina/realm/JNDIRealm.java @@ -498,6 +498,14 @@ public class JNDIRealm extends RealmBase { protected int connectionPoolSize = 1; + /** + * Whether to use context ClassLoader or default ClassLoader. + * True means use context ClassLoader, and True is the default + * value. + */ + protected boolean useContextClassLoader = true; + + // ------------------------------------------------------------- Properties public boolean getForceDnHexEscape() { @@ -1254,6 +1262,26 @@ public class JNDIRealm extends RealmBase { return clazz.getConstructor().newInstance(); } + /** + * Sets whether to use the context or default ClassLoader. + * True means use context ClassLoader. + * + * @param useContext True means use context ClassLoader + */ + public void setUseContextClassLoader(boolean useContext) { + useContextClassLoader = useContext; + } + + /** + * Returns whether to use the context or default ClassLoader. + * True means to use the context ClassLoader. + * + * @return The value of useContextClassLoader + */ + public boolean isUseContextClassLoader() { + return useContextClassLoader; + } + // ---------------------------------------------------------- Realm Methods /** @@ -2502,7 +2530,12 @@ public class JNDIRealm extends RealmBase { * @throws NamingException if a directory server error occurs */ protected void open(JNDIConnection connection) throws NamingException { + ClassLoader ocl = null; try { + if (!isUseContextClassLoader()) { + ocl = Thread.currentThread().getContextClassLoader(); + Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader()); + } // Ensure that we have a directory context available connection.context = createDirContext(getDirectoryContextEnvironment()); } catch (Exception e) { @@ -2519,6 +2552,9 @@ public class JNDIRealm extends RealmBase { // reset it in case the connection times out. // the primary may come back. connectionAttempt = 0; + if (!isUseContextClassLoader()) { + Thread.currentThread().setContextClassLoader(ocl); + } } } diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 108a9e1..d4c8583 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -67,6 +67,11 @@ connection scenario. Also remove all connections from the pool after an error. (remm) </fix> + <fix> + JNDIRealm connections should only be created with the container + classloader as the thread context classloader, just like for the JAAS + realm. (remm) + </fix> </changelog> </subsection> <subseciton name="Coyote"> diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml index ba8c217..4f515fb 100644 --- a/webapps/docs/config/realm.xml +++ b/webapps/docs/config/realm.xml @@ -508,6 +508,13 @@ specified, the default value of <code>302</code> is used.</p> </attribute> + <attribute name="useContextClassLoader" required="false"> + <p>Instructs JNDIRealm to use the context class loader when opening the + connection for the JNDI provider. The default value is + <code>true</code>. To load classes using the container's classloader, + specify <code>false</code>.</p> + </attribute> + <attribute name="useDelegatedCredential" required="false"> <p>When the JNDIRealm is used with the SPNEGO authenticator, delegated credentials for the user may be available. If such credentials are --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org