Re: [DISCUSS] Deprecate and remove RealmBase#stripRealmForGss

[Michael Osipov]

Am 2020-10-13 um 12:32 schrieb Mark Thomas:

On 13/10/2020 10:48, Michael Osipov wrote:

Folks,

I'd like to propose to get rid of that config option in 10 and deprecate
in previous versions for the following reasons:

* It suffers from abstraction: It assumes that the GSS name is always
email style w/o checking its OID
* The realm part, if any, is an integeral part of the principal. Much
like with an email address' domain. You wouldn't stip here too, would you?
* It is a surprise for clients having the princippal mutilated by
default. I trip over and over again this when I set up
UserDatabaseRealms for testing purposes I wonder why
michae...@example.com does not work.
* In a multi realm environment, it is perfectly fine and valid to have
user1@REALMA and user1@REALMB. These are distinct principals, but
treated by RealmBase equally, this has implications.
* Finally, when doing cert-based auth in an AD envinronment, is it
pretty common to extract the msUPN name from the cert's SAN which is
almost always email address (enteprise principal) which would end up in
michael.osipov, but where is the rest?!

Thoughts?


No objections to changing the default to false in 10.0.x but I think
removal/deprecation is a step too far.


OK


Not everyone uses the full u...@bigco.com format as the "primary key" in
their internal user database. I see lots of variation depending on which
system is viewed as the source of truth to which other systems are
synchronised.


So you will never be able to satisfy all, why try?


We have X509UsernameRetriever for certificate authentication. That came
out of bug 52500 where the aim was to support a wide variety of formats.
The root of that requirement was essentially the same - integration with
a variety of systems where the user name could be in in a range of
formats. The mapping of that format to an X509 cert just added another
layer of complexity.


I don't think that this compares (well( because a certificate is a 
complex object explicitly containing SAN which contain wellknown forms 
for an entity whereas a GSS name is merely a string with an identifier 
for its format. Your argumentation could also be applied to an LDAP 
bind. Active Directory, for instance, accepts a various amounts of input 
formats for the same entity, yet we don't provide a logic to normalize 
them in the JNDI Realm. That seems to be unfair to me.

It lacks a bit of consistency.


If there was user demand for it (I haven't seen any) I'd support a
similar interface for SPNEGO. With such an interface in place,
deprecation and removal of stripRealmForGss would make sense.


See above.

Michael

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] 01/04: Add connection pool to JNDI realm

[Rémy Maucherat]

On Tue, Oct 13, 2020 at 8:26 PM Michael Osipov  wrote:

> Am 2020-10-13 um 13:49 schrieb Rémy Maucherat:
> > On Tue, Oct 13, 2020 at 11:33 AM Michael Osipov 
> wrote:
> >
> >> Am 2020-10-07 um 22:34 schrieb r...@apache.org:
> >>> This is an automated email from the ASF dual-hosted git repository.
> >>>
> >>> remm pushed a commit to branch 8.5.x
> >>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >>>
> >>> commit 50de36b7874da98591345e40b374a1e2dd52c188
> >>> Author: remm 
> >>> AuthorDate: Thu Jan 30 17:22:51 2020 +0100
> >>>
> >>>   Add connection pool to JNDI realm
> >>>
> >>>   This implements a TODO from the class javadoc header.
> >>>   As described in the javadoc, the idea is to use a pool to avoid
> >> blocking
> >>>   on a single connection, which could possibly become a bottleneck
> in
> >> some
> >>>   cases. The message formats need to be kept along with the
> connection
> >>>   since they are not thread safe.
> >>>   Preserve the default behavior: sync without pooling (using a Lock
> >> object
> >>>   which is more flexible).
> >>>   I may backport this since this is limited to the JNDI realm, but
> >> only
> >>>   once it is confirmed to be regression free. Tested with ApacheDS
> >> but my
> >>>   LDAP skills are very limited.
> >>> ---
> >>>java/org/apache/catalina/realm/JNDIRealm.java  | 442
> >> -
> >>>.../apache/catalina/realm/LocalStrings.properties  |   1 +
> >>>test/org/apache/catalina/realm/TestJNDIRealm.java  |   7 +-
> >>>webapps/docs/changelog.xml |   3 +
> >>>webapps/docs/config/realm.xml  |   7 +
> >>>5 files changed, 276 insertions(+), 184 deletions(-)
> >>
> >> Salut Rémy,
> >>
> >> this is a very very nice improvement to the matter and I gave your idea
> >> a spin my public Active Directory realm. Based on my tests with AD I see
> >> room for improvement: (Note that I don't use the JNDIRealm because
> >> because is it too generic and usable for me)
> >>
> >
> > Ok, I only tested this with a local ldap, so not much. I verified it was
> > pooling connections.
> >
> >
> >>
> >> * You might want to consider to introduce a maxIdleTime to avoid stale
> >> connections, e.g., AD has default value of 15 minutes. Yep, I had had
> >> several RSTs resulting in 401s
> >>
> >
> > Oops. So I don't think adding something like this helps since there could
> > be plenty of issues besides a timeout. Basically it's supposed to retry
> > instead when something fails. Can you give me a stack trace to show
> what's
> > wrong ?
>
> I consider it cheaper to test for a timeout and close actively rather
> than recover from a resetted connection. Here is a strack trace for
> concurrency of 4 (with a pool of max 8). Compare the timestamp of the
> first line and the subsequent ones:
>
> > 2020-10-12T22:55:47 FEIN [https-openssl-apr-8444-exec-8]
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.release Releasing
> directory server connection to pool
> > 2020-10-12T23:13:06 FEIN [https-openssl-apr-8444-exec-5]
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire Acquiring
> directory server connection from pool
> > 2020-10-12T23:13:06 FEIN [https-openssl-apr-8444-exec-5]
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate Validating
> directory server connection from pool
> > 2020-10-12T23:13:06 SCHWERWIEGEND [https-openssl-apr-8444-exec-5]
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate Exception
> validating directory server connection
> > javax.naming.CommunicationException: Connection reset [Root
> exception is java.net.SocketException: Connection reset]; remaining name ''
> > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2030)
> > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872)
> > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797)
> > at
> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
> > at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
> > at
> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
> > at
> javax.naming.directory.InitialDirContext.search(InitialDirContext.java:296)
> > at
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate(ActiveDirectoryRealm.java:316)
> > at
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:285)
> > at
> net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:244)
> > at
> org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:501)
> > at
> net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:165)
> > at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633)
> >

Re: [tomcat] branch 8.5.x updated: Always retry on a new connection, even when pooling

[Michael Osipov]

Am 2020-10-13 um 16:05 schrieb r...@apache.org:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
  new 883600b  Always retry on a new connection, even when pooling
883600b is described below

commit 883600b8a77c0be93b3a8dc2404e8d1110970ee7
Author: remm 
AuthorDate: Tue Oct 13 14:19:54 2020 +0200

 Always retry on a new connection, even when pooling
 
 This keeps the same very simple design as for the single connection

 scenario, for now.
---
  java/org/apache/catalina/realm/JNDIRealm.java | 22 +++---
  webapps/docs/changelog.xml|  5 +
  2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index 72087ab..98007f7 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1311,7 +1311,7 @@ public class JNDIRealm extends RealmBase {
  close(connection);
  
  // open a new directory context.

-connection = get();
+connection = get(true);
  
  // Try the authentication again.

  principal = authenticate(connection, username, credentials);
@@ -2389,12 +2389,28 @@ public class JNDIRealm extends RealmBase {
   * @exception NamingException if a directory server error occurs
   */
  protected JNDIConnection get() throws NamingException {
+return get(false);
+}
+
+/**
+ * Open (if necessary) and return a connection to the configured
+ * directory server for this Realm.
+ * @param create when pooling, this forces creation of a new connection,
+ *   for example after an error
+ * @return the connection
+ * @exception NamingException if a directory server error occurs
+ */
+protected JNDIConnection get(boolean create) throws NamingException {
  JNDIConnection connection = null;
  // Use the pool if available, otherwise use the single connection
  if (connectionPool != null) {
-connection = connectionPool.pop();
-if (connection == null) {
+if (create) {
  connection = create();
+} else {
+connection = connectionPool.pop();
+if (connection == null) {
+connection = create();
+}
  }
  } else {
  singleConnectionLock.lock();


That suitable and simple approach.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] 01/04: Add connection pool to JNDI realm

[Michael Osipov]

Am 2020-10-13 um 13:49 schrieb Rémy Maucherat:

On Tue, Oct 13, 2020 at 11:33 AM Michael Osipov  wrote:


Am 2020-10-07 um 22:34 schrieb r...@apache.org:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 50de36b7874da98591345e40b374a1e2dd52c188
Author: remm 
AuthorDate: Thu Jan 30 17:22:51 2020 +0100

  Add connection pool to JNDI realm

  This implements a TODO from the class javadoc header.
  As described in the javadoc, the idea is to use a pool to avoid

blocking

  on a single connection, which could possibly become a bottleneck in

some

  cases. The message formats need to be kept along with the connection
  since they are not thread safe.
  Preserve the default behavior: sync without pooling (using a Lock

object

  which is more flexible).
  I may backport this since this is limited to the JNDI realm, but

only

  once it is confirmed to be regression free. Tested with ApacheDS

but my

  LDAP skills are very limited.
---
   java/org/apache/catalina/realm/JNDIRealm.java  | 442

-

   .../apache/catalina/realm/LocalStrings.properties  |   1 +
   test/org/apache/catalina/realm/TestJNDIRealm.java  |   7 +-
   webapps/docs/changelog.xml |   3 +
   webapps/docs/config/realm.xml  |   7 +
   5 files changed, 276 insertions(+), 184 deletions(-)


Salut Rémy,

this is a very very nice improvement to the matter and I gave your idea
a spin my public Active Directory realm. Based on my tests with AD I see
room for improvement: (Note that I don't use the JNDIRealm because
because is it too generic and usable for me)



Ok, I only tested this with a local ldap, so not much. I verified it was
pooling connections.




* You might want to consider to introduce a maxIdleTime to avoid stale
connections, e.g., AD has default value of 15 minutes. Yep, I had had
several RSTs resulting in 401s



Oops. So I don't think adding something like this helps since there could
be plenty of issues besides a timeout. Basically it's supposed to retry
instead when something fails. Can you give me a stack trace to show what's
wrong ?


I consider it cheaper to test for a timeout and close actively rather 
than recover from a resetted connection. Here is a strack trace for 
concurrency of 4 (with a pool of max 8). Compare the timestamp of the 
first line and the subsequent ones:



2020-10-12T22:55:47 FEIN [https-openssl-apr-8444-exec-8] 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.release Releasing directory 
server connection to pool
2020-10-12T23:13:06 FEIN [https-openssl-apr-8444-exec-5] 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire Acquiring directory 
server connection from pool
2020-10-12T23:13:06 FEIN [https-openssl-apr-8444-exec-5] 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate Validating directory 
server connection from pool
2020-10-12T23:13:06 SCHWERWIEGEND [https-openssl-apr-8444-exec-5] 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate Exception validating 
directory server connection
javax.naming.CommunicationException: Connection reset [Root exception is 
java.net.SocketException: Connection reset]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2030)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797)
at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at 
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:296)
at 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.validate(ActiveDirectoryRealm.java:316)
at 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:285)
at 
net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:244)
at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:501)
at 
net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:165)
at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:633)
at 
org.apache.catalina.valves.rewrite.RewriteValve.invoke(RewriteValve.java:571)
at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at 
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at 

Cannot override servlet context init param

[Matt Benson]

Hello,
Today I was experimenting with a Servlet ContainerInitializer in which I
wanted to modify the value of a particular init param, but found that
Tomcat's ServletContext implementation (ApplicationContext) explicitly
rejected the override. The Servlet API doesn't seem to suggest that what
I'm trying to do should not be supported; would a patch (or patches,
thinking of multiple Tomcat versions) to support this behavior, perhaps
conditionally, be welcome? If so, what form should such conditional support
take?

Thanks,
Matt

[Bug 60030] Run away CPU with JSSE / OpenSSL with IE8

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60030

--- Comment #5 from kivetomani  ---
Kami Memberikan Bonus Special Mystery Box untuk para member aktif dan setia
setiap Hari Sabtu Dan Minggu berhadiah UANG TUNAI!
https://199.192.31.67
http://www.dewatogelonline88.com/
https://199.192.26.181

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 60030] Run away CPU with JSSE / OpenSSL with IE8

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60030

kivetomani  changed:

   What|Removed |Added

URL||https://199.192.31.67

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] blueSky1825821 commented on pull request #368: fix: CachedResource add path length

[GitBox]

blueSky1825821 commented on pull request #368:
URL: https://github.com/apache/tomcat/pull/368#issuecomment-707629467


   > I've done some calculations and the absolute upper limit (the actual upper 
limit will be lower) is that a cache with a 10MB limit on size will actually 
use a little under 175MB. That isn't great but it isn't terrible either. I'll 
tweak the resource size calculation so it includes an approximate of the memory 
required to store the path.
   > The proposed patch has a couple of issues:
   > 
   > * It converts the string to bytes to determine the size.  This is both 
expensive and wrong. String length *2 +38 is a much closer approximation and I 
intend to ignore the 38 as that is already accounted for in the 500 byte 
overhead for each entry.
   > * It includes the path size when determining if the resource exceeds the 
max object size (and hence won't have the content cached) but does not include 
the path size when performing the same check to determine when deciding whether 
to cache the content or not.
   > 
   > I should have a fix for this committed shortly.
   
   Let me add that, after jdk8, e.g jdk9 String has been changed
   private final char value[]; -->  private final byte[] value; 
   but length *2 is also fine
   



This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] 01/04: Add connection pool to JNDI realm

[Michael Osipov]

Am 2020-10-07 um 22:34 schrieb r...@apache.org:

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git

commit 50de36b7874da98591345e40b374a1e2dd52c188
Author: remm 
AuthorDate: Thu Jan 30 17:22:51 2020 +0100

 Add connection pool to JNDI realm
 
 This implements a TODO from the class javadoc header.

 As described in the javadoc, the idea is to use a pool to avoid blocking
 on a single connection, which could possibly become a bottleneck in some
 cases. The message formats need to be kept along with the connection
 since they are not thread safe.
 Preserve the default behavior: sync without pooling (using a Lock object
 which is more flexible).
 I may backport this since this is limited to the JNDI realm, but only
 once it is confirmed to be regression free. Tested with ApacheDS but my
 LDAP skills are very limited.
---
  java/org/apache/catalina/realm/JNDIRealm.java  | 442 -
  .../apache/catalina/realm/LocalStrings.properties  |   1 +
  test/org/apache/catalina/realm/TestJNDIRealm.java  |   7 +-
  webapps/docs/changelog.xml |   3 +
  webapps/docs/config/realm.xml  |   7 +
  5 files changed, 276 insertions(+), 184 deletions(-)


Salut Rémy,

this is a very very nice improvement to the matter and I gave your idea 
a spin my public Active Directory realm. Based on my tests with AD I see 
room for improvement: (Note that I don't use the JNDIRealm because 
because is it too generic and usable for me)


* You might want to consider to introduce a maxIdleTime to avoid stale 
connections, e.g., AD has default value of 15 minutes. Yep, I had had 
several RSTs resulting in 401s
* Validating connections optionally might be a good option to detect 
stale connections or broken ones ny networks issues. This works for me 
very fast:

protected boolean validate(DirContextConnection connection) {
if (logger.isDebugEnabled())

logger.debug(sm.getString("activeDirectoryRealm.validate"));

SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.OBJECT_SCOPE);
controls.setCountLimit(1);
controls.setReturningAttributes(new String[] { "objectClass" });
controls.setTimeLimit(500);

try {
NamingEnumeration results = 
connection.context.search("", "objectclass=*",
controls);

if (results.hasMore()) {
close(results);
return true;
}
} catch (NamingException e) {

logger.error(sm.getString("activeDirectoryRealm.validate.namingException"), e);

return false;
}

return false;
}

I do this in the acquire() method

* The acquire(), authenticate(), fail, close(), authenticate(), 
release() is brittle and proved to fail here. I have a curl script which 
does 4 requests in parallel and 1200 requests in total. Pool size is 8. 
4 connections in the pool. Rest for 16 minutes, connections are broken 
now. Start requests. authenticate() will fail twice because top two 
acquired connections from pool are broken. Requests end with 401. I'd 
prefer to to modify acquire() is such a fashion:

protected DirContextConnection acquire() {
if (logger.isDebugEnabled())

logger.debug(sm.getString("activeDirectoryRealm.acquire"));

DirContextConnection connection = null;

while (connection == null) {
connection = connectionPool.pop();

if (connection != null) {
long idleTime = System.currentTimeMillis() - 
connection.lastBorrowTime;
if (idleTime > maxIdleTime) {
if (logger.isDebugEnabled())

logger.debug(sm.getString("activeDirectoryRealm.exceedMaxIdleTime"));
close(connection);
connection = null;
} else {
boolean valid = validate(connection);
if (valid) {
if (logger.isDebugEnabled())

logger.debug(sm.getString("activeDirectoryRealm.reuse"));
} else {
close(connection);
connection = 

[DISCUSS] Deprecate and remove RealmBase#stripRealmForGss

[Michael Osipov]

Folks,

I'd like to propose to get rid of that config option in 10 and deprecate 
in previous versions for the following reasons:


* It suffers from abstraction: It assumes that the GSS name is always 
email style w/o checking its OID
* The realm part, if any, is an integeral part of the principal. Much 
like with an email address' domain. You wouldn't stip here too, would you?
* It is a surprise for clients having the princippal mutilated by 
default. I trip over and over again this when I set up 
UserDatabaseRealms for testing purposes I wonder why 
michae...@example.com does not work.
* In a multi realm environment, it is perfectly fine and valid to have 
user1@REALMA and user1@REALMB. These are distinct principals, but 
treated by RealmBase equally, this has implications.
* Finally, when doing cert-based auth in an AD envinronment, is it 
pretty common to extract the msUPN name from the cert's SAN which is 
almost always email address (enteprise principal) which would end up in 
michael.osipov, but where is the rest?!


Thoughts?

Michael

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 64765] ThreadPoolExecutor#submittedCount wrong after undeploy

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64765

--- Comment #4 from m...@bsi-software.com ---
I confirm the issue seems to be fixed.
Tested with release 9.0.39.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 64809] New: it's haven't reset connection properties based on connectionpool configuration information when returnConnection

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64809

Bug ID: 64809
   Summary: it's  haven't reset connection properties based on
connectionpool configuration information when
returnConnection
   Product: Tomcat 8
   Version: 8.5.11
  Hardware: All
OS: All
Status: NEW
  Severity: normal
  Priority: P2
 Component: Connectors
  Assignee: dev@tomcat.apache.org
  Reporter: xiongchao90.1...@163.com
  Target Milestone: 

it's  haven't reset connection properties based on connectionpool configuration
information when returnConnection

Causes the connection pool properties to be confused

if A thread  connection A con.setReadOnly(true)
con.setAutoCommit(false)，release connection A。

B thread get connection A execute update throws exception

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 64809] Connection properties not reset to defaults when Connection is returned to the pool

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64809

--- Comment #2 from xiongchao  ---
 protected void returnConnection(PooledConnection con) {
if (this.isClosed()) {
this.release(con);
} else {
if (con != null) {
try {
this.returnedCount.incrementAndGet();
con.lock();
if (con.isSuspect()) {
if (this.poolProperties.isLogAbandoned() &&
log.isInfoEnabled()) {
log.info("Connection(" + con + ") that has been
marked suspect was returned." + " The processing time is " +
(System.currentTimeMillis() - con.getTimestamp()) + " ms.");
}

if (this.jmxPool != null) {
this.jmxPool.notify("SUSPECT CONNECTION RETURNED",
"Connection(" + con + ") that has been marked suspect was returned.");
}
}

if (this.busy.remove(con)) {
if (!this.shouldClose(con, 2)) {
con.setStackTrace((String)null);
con.setTimestamp(System.currentTimeMillis());
if (this.idle.size() >=
this.poolProperties.getMaxIdle() && !this.poolProperties.isPoolSweeperEnabled()
|| !this.idle.offer(con)) {
if (log.isDebugEnabled()) {
log.debug("Connection [" + con + "] will be
closed and not returned to the pool, idle[" + this.idle.size() + "]>=maxIdle["
+ this.poolProperties.getMaxIdle() + "] idle.offer failed.");
}

this.release(con);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Connection [" + con + "] will be
closed and not returned to the pool.");
}

this.release(con);
}
} else {
if (log.isDebugEnabled()) {
log.debug("Connection [" + con + "] will be closed
and not returned to the pool, busy.remove failed.");
}

this.release(con);
}
} finally {
con.unlock();
}
}

}
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] branch master updated: Partial fix for BZ 63362 provide h2 request statistics

[Mark Thomas]

On 09/10/2020 17:43, ma...@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
> 
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> 
> 
> The following commit(s) were added to refs/heads/master by this push:
>  new 62a684c  Partial fix for BZ 63362 provide h2 request statistics
> 62a684c is described below
> 
> commit 62a684cd2b2039a68e74813cf4e20fc95a2cebe4
> Author: Mark Thomas 
> AuthorDate: Wed Jun 24 19:24:17 2020 +0100
> 
> Partial fix for BZ 63362 provide h2 request statistics

Just a quick heads up that as I work on WebSocket (and a generic
solution for any HTTP upgrade protocol) it is looking as if a chunk of
the changes below are going to be reverted.

Mark


> ---
>  java/org/apache/coyote/AbstractProtocol.java  | 35 +++
>  java/org/apache/coyote/LocalStrings.properties|  1 +
>  java/org/apache/coyote/UpgradeProtocol.java   | 22 
>  java/org/apache/coyote/http2/Http2Protocol.java   | 41 
> +++
>  java/org/apache/coyote/http2/StreamProcessor.java |  6 
>  webapps/docs/changelog.xml|  4 +++
>  6 files changed, 102 insertions(+), 7 deletions(-)
> 
> diff --git a/java/org/apache/coyote/AbstractProtocol.java 
> b/java/org/apache/coyote/AbstractProtocol.java
> index e214f80..159531e 100644
> --- a/java/org/apache/coyote/AbstractProtocol.java
> +++ b/java/org/apache/coyote/AbstractProtocol.java
> @@ -69,12 +69,6 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  
>  
>  /**
> - * Name of MBean for the Global Request Processor.
> - */
> -protected ObjectName rgOname = null;
> -
> -
> -/**
>   * Unique ID for this connector. Only used if the connector is configured
>   * to use a random port as the port will change if stop(), start() is
>   * called.
> @@ -145,6 +139,14 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  // --- Properties managed by the 
> ProtocolHandler
>  
>  /**
> + * Name of MBean for the Global Request Processor.
> + */
> +protected ObjectName rgOname = null;
> +public ObjectName getGlobalRequestProcessorMBeanName() {
> +return rgOname;
> +}
> +
> +/**
>   * The adapter provides the link between the ProtocolHandler and the
>   * connector.
>   */
> @@ -546,7 +548,8 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  }
>  
>  if (this.domain != null) {
> -rgOname = new ObjectName(domain + 
> ":type=GlobalRequestProcessor,name=" + getName());
> +ObjectName rgOname = new ObjectName(domain + 
> ":type=GlobalRequestProcessor,name=" + getName());
> +this.rgOname = rgOname;
>  Registry.getRegistry(null, null).registerComponent(
>  getHandler().getGlobal(), rgOname, null);
>  }
> @@ -556,6 +559,13 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  endpoint.setDomain(domain);
>  
>  endpoint.init();
> +
> +UpgradeProtocol[] upgradeProtocols = findUpgradeProtocols();
> +for (UpgradeProtocol upgradeProtocol : upgradeProtocols) {
> +// Implementation note: Failure of one upgrade protocol fails the
> +// whole Connector
> +upgradeProtocol.init();
> +}
>  }
>  
>  
> @@ -669,6 +679,16 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  logPortOffset();
>  }
>  
> +UpgradeProtocol[] upgradeProtocols = findUpgradeProtocols();
> +for (UpgradeProtocol upgradeProtocol : upgradeProtocols) {
> +try {
> +upgradeProtocol.destroy();
> +} catch (Throwable t) {
> +ExceptionUtils.handleThrowable(t);
> +
> getLog().error(sm.getString("abstractProtocol.upgradeProtocolDestroyError"), 
> t);
> +}
> +}
> +
>  try {
>  endpoint.destroy();
>  } finally {
> @@ -686,6 +706,7 @@ public abstract class AbstractProtocol implements 
> ProtocolHandler,
>  }
>  }
>  
> +ObjectName rgOname = getGlobalRequestProcessorMBeanName();
>  if (rgOname != null) {
>  Registry.getRegistry(null, 
> null).unregisterComponent(rgOname);
>  }
> diff --git a/java/org/apache/coyote/LocalStrings.properties 
> b/java/org/apache/coyote/LocalStrings.properties
> index 83960cb..43c8d64 100644
> --- a/java/org/apache/coyote/LocalStrings.properties
> +++ b/java/org/apache/coyote/LocalStrings.properties
> @@ -36,6 +36,7 @@ abstractProcessor.socket.ssl=Exception getting SSL 
> attributes
>  abstractProtocol.mbeanDeregistrationFailed=Failed to deregister MBean named 
> [{0}] from MBean server [{1}]
>  

Re: [DISCUSS] Deprecate and remove RealmBase#stripRealmForGss

[Mark Thomas]

On 13/10/2020 10:48, Michael Osipov wrote:
> Folks,
> 
> I'd like to propose to get rid of that config option in 10 and deprecate
> in previous versions for the following reasons:
> 
> * It suffers from abstraction: It assumes that the GSS name is always
> email style w/o checking its OID
> * The realm part, if any, is an integeral part of the principal. Much
> like with an email address' domain. You wouldn't stip here too, would you?
> * It is a surprise for clients having the princippal mutilated by
> default. I trip over and over again this when I set up
> UserDatabaseRealms for testing purposes I wonder why
> michae...@example.com does not work.
> * In a multi realm environment, it is perfectly fine and valid to have
> user1@REALMA and user1@REALMB. These are distinct principals, but
> treated by RealmBase equally, this has implications.
> * Finally, when doing cert-based auth in an AD envinronment, is it
> pretty common to extract the msUPN name from the cert's SAN which is
> almost always email address (enteprise principal) which would end up in
> michael.osipov, but where is the rest?!
> 
> Thoughts?

No objections to changing the default to false in 10.0.x but I think
removal/deprecation is a step too far.

Not everyone uses the full u...@bigco.com format as the "primary key" in
their internal user database. I see lots of variation depending on which
system is viewed as the source of truth to which other systems are
synchronised.

We have X509UsernameRetriever for certificate authentication. That came
out of bug 52500 where the aim was to support a wide variety of formats.
The root of that requirement was essentially the same - integration with
a variety of systems where the user name could be in in a range of
formats. The mapping of that format to an X509 cert just added another
layer of complexity.

If there was user demand for it (I haven't seen any) I'd support a
similar interface for SPNEGO. With such an interface in place,
deprecation and removal of stripRealmForGss would make sense.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] 01/04: Add connection pool to JNDI realm

[Rémy Maucherat]

On Tue, Oct 13, 2020 at 11:33 AM Michael Osipov  wrote:

> Am 2020-10-07 um 22:34 schrieb r...@apache.org:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > remm pushed a commit to branch 8.5.x
> > in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >
> > commit 50de36b7874da98591345e40b374a1e2dd52c188
> > Author: remm 
> > AuthorDate: Thu Jan 30 17:22:51 2020 +0100
> >
> >  Add connection pool to JNDI realm
> >
> >  This implements a TODO from the class javadoc header.
> >  As described in the javadoc, the idea is to use a pool to avoid
> blocking
> >  on a single connection, which could possibly become a bottleneck in
> some
> >  cases. The message formats need to be kept along with the connection
> >  since they are not thread safe.
> >  Preserve the default behavior: sync without pooling (using a Lock
> object
> >  which is more flexible).
> >  I may backport this since this is limited to the JNDI realm, but
> only
> >  once it is confirmed to be regression free. Tested with ApacheDS
> but my
> >  LDAP skills are very limited.
> > ---
> >   java/org/apache/catalina/realm/JNDIRealm.java  | 442
> -
> >   .../apache/catalina/realm/LocalStrings.properties  |   1 +
> >   test/org/apache/catalina/realm/TestJNDIRealm.java  |   7 +-
> >   webapps/docs/changelog.xml |   3 +
> >   webapps/docs/config/realm.xml  |   7 +
> >   5 files changed, 276 insertions(+), 184 deletions(-)
>
> Salut Rémy,
>
> this is a very very nice improvement to the matter and I gave your idea
> a spin my public Active Directory realm. Based on my tests with AD I see
> room for improvement: (Note that I don't use the JNDIRealm because
> because is it too generic and usable for me)
>

Ok, I only tested this with a local ldap, so not much. I verified it was
pooling connections.


>
> * You might want to consider to introduce a maxIdleTime to avoid stale
> connections, e.g., AD has default value of 15 minutes. Yep, I had had
> several RSTs resulting in 401s
>

Oops. So I don't think adding something like this helps since there could
be plenty of issues besides a timeout. Basically it's supposed to retry
instead when something fails. Can you give me a stack trace to show what's
wrong ?

https://github.com/apache/tomcat/blob/master/java/org/apache/catalina/realm/JNDIRealm.java#L1306
Looking at the code, it does retry, but it would simply get a new
connection from the pool again. So if it gets a second bad connection, then
it would most likely fail. Is it what happened for you ?
A solution could be to create a new connection for the pooled case, to make
up for that.


> * Validating connections optionally might be a good option to detect
> stale connections or broken ones ny networks issues. This works for me
> very fast:
> >   protected boolean validate(DirContextConnection connection) {
> >   if (logger.isDebugEnabled())
> >
>  logger.debug(sm.getString("activeDirectoryRealm.validate"));
> >
> >   SearchControls controls = new SearchControls();
> >   controls.setSearchScope(SearchControls.OBJECT_SCOPE);
> >   controls.setCountLimit(1);
> >   controls.setReturningAttributes(new String[] {
> "objectClass" });
> >   controls.setTimeLimit(500);
> >
> >   try {
> >   NamingEnumeration results =
> connection.context.search("", "objectclass=*",
> >   controls);
> >
> >   if (results.hasMore()) {
> >   close(results);
> >   return true;
> >   }
> >   } catch (NamingException e) {
> >
>  logger.error(sm.getString("activeDirectoryRealm.validate.namingException"),
> e);
> >
> >   return false;
> >   }
> >
> >   return false;
> >   }
> I do this in the acquire() method
>

Ok, but it has a cost and I fundamentally don't see why it's different from
performing the actual operation.


>
> * The acquire(), authenticate(), fail, close(), authenticate(),
> release() is brittle and proved to fail here. I have a curl script which
> does 4 requests in parallel and 1200 requests in total. Pool size is 8.
> 4 connections in the pool. Rest for 16 minutes, connections are broken
> now. Start requests. authenticate() will fail twice because top two
> acquired connections from pool are broken. Requests end with 401. I'd
> prefer to to modify acquire() is such a fashion:
> >   protected DirContextConnection acquire() {
> >   if (logger.isDebugEnabled())
> >
>  logger.debug(sm.getString("activeDirectoryRealm.acquire"));
> >
> >   DirContextConnection connection = null;
> >
> >   while (connection == null) {
> >   connection = connectionPool.pop();
> >
> >  

[Bug 64809] Connection properties not reset to defaults when Connection is returned to the pool

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=64809

Mark Thomas  changed:

   What|Removed |Added

   Target Milestone||---
Summary|it's  haven't reset |Connection properties not
   |connection properties based |reset to defaults when
   |on connectionpool   |Connection is returned to
   |configuration information   |the pool
   |when returnConnection   |
Version|8.5.11  |unspecified
  Component|Connectors  |jdbc-pool
Product|Tomcat 8|Tomcat Modules

--- Comment #1 from Mark Thomas  ---
Correcting product (I'm assuming jdbc-pool on the basis I've confirmed DBCP
does reset these properties)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Always retry on a new connection, even when pooling

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new a91a861  Always retry on a new connection, even when pooling
a91a861 is described below

commit a91a861fa269383f0f415e95d40066e7de32d895
Author: remm 
AuthorDate: Tue Oct 13 14:19:54 2020 +0200

Always retry on a new connection, even when pooling

This keeps the same very simple design as for the single connection
scenario, for now.
---
 java/org/apache/catalina/realm/JNDIRealm.java | 22 +++---
 webapps/docs/changelog.xml|  5 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index b9acc42..95b7d0f 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1303,7 +1303,7 @@ public class JNDIRealm extends RealmBase {
 close(connection);
 
 // open a new directory context.
-connection = get();
+connection = get(true);
 
 // Try the authentication again.
 principal = authenticate(connection, username, credentials);
@@ -2374,12 +2374,28 @@ public class JNDIRealm extends RealmBase {
  * @exception NamingException if a directory server error occurs
  */
 protected JNDIConnection get() throws NamingException {
+return get(false);
+}
+
+/**
+ * Open (if necessary) and return a connection to the configured
+ * directory server for this Realm.
+ * @param create when pooling, this forces creation of a new connection,
+ *   for example after an error
+ * @return the connection
+ * @exception NamingException if a directory server error occurs
+ */
+protected JNDIConnection get(boolean create) throws NamingException {
 JNDIConnection connection = null;
 // Use the pool if available, otherwise use the single connection
 if (connectionPool != null) {
-connection = connectionPool.pop();
-if (connection == null) {
+if (create) {
 connection = create();
+} else {
+connection = connectionPool.pop();
+if (connection == null) {
+connection = create();
+}
 }
 } else {
 singleConnectionLock.lock();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7cc0676..0e10f9d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -58,6 +58,11 @@
 64805: Correct imports used by JMXPorxyServlet.
 (markt)
   
+  
+Fix JNDIRealm pooling problems retrying on another bad connection. Any
+retries are made on a new connection, just like with the single
+connection scenario. (remm)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Always retry on a new connection, even when pooling

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 883600b  Always retry on a new connection, even when pooling
883600b is described below

commit 883600b8a77c0be93b3a8dc2404e8d1110970ee7
Author: remm 
AuthorDate: Tue Oct 13 14:19:54 2020 +0200

Always retry on a new connection, even when pooling

This keeps the same very simple design as for the single connection
scenario, for now.
---
 java/org/apache/catalina/realm/JNDIRealm.java | 22 +++---
 webapps/docs/changelog.xml|  5 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index 72087ab..98007f7 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1311,7 +1311,7 @@ public class JNDIRealm extends RealmBase {
 close(connection);
 
 // open a new directory context.
-connection = get();
+connection = get(true);
 
 // Try the authentication again.
 principal = authenticate(connection, username, credentials);
@@ -2389,12 +2389,28 @@ public class JNDIRealm extends RealmBase {
  * @exception NamingException if a directory server error occurs
  */
 protected JNDIConnection get() throws NamingException {
+return get(false);
+}
+
+/**
+ * Open (if necessary) and return a connection to the configured
+ * directory server for this Realm.
+ * @param create when pooling, this forces creation of a new connection,
+ *   for example after an error
+ * @return the connection
+ * @exception NamingException if a directory server error occurs
+ */
+protected JNDIConnection get(boolean create) throws NamingException {
 JNDIConnection connection = null;
 // Use the pool if available, otherwise use the single connection
 if (connectionPool != null) {
-connection = connectionPool.pop();
-if (connection == null) {
+if (create) {
 connection = create();
+} else {
+connection = connectionPool.pop();
+if (connection == null) {
+connection = create();
+}
 }
 } else {
 singleConnectionLock.lock();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ea25154..7e3c4b9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -61,6 +61,11 @@
 64805: Correct imports used by JMXPorxyServlet.
 (markt)
   
+  
+Fix JNDIRealm pooling problems retrying on another bad connection. Any
+retries are made on a new connection, just like with the single
+connection scenario. (remm)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 9.0.x updated: Always retry on a new connection, even when pooling

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new a91a861  Always retry on a new connection, even when pooling
a91a861 is described below

commit a91a861fa269383f0f415e95d40066e7de32d895
Author: remm 
AuthorDate: Tue Oct 13 14:19:54 2020 +0200

Always retry on a new connection, even when pooling

This keeps the same very simple design as for the single connection
scenario, for now.
---
 java/org/apache/catalina/realm/JNDIRealm.java | 22 +++---
 webapps/docs/changelog.xml|  5 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index b9acc42..95b7d0f 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1303,7 +1303,7 @@ public class JNDIRealm extends RealmBase {
 close(connection);
 
 // open a new directory context.
-connection = get();
+connection = get(true);
 
 // Try the authentication again.
 principal = authenticate(connection, username, credentials);
@@ -2374,12 +2374,28 @@ public class JNDIRealm extends RealmBase {
  * @exception NamingException if a directory server error occurs
  */
 protected JNDIConnection get() throws NamingException {
+return get(false);
+}
+
+/**
+ * Open (if necessary) and return a connection to the configured
+ * directory server for this Realm.
+ * @param create when pooling, this forces creation of a new connection,
+ *   for example after an error
+ * @return the connection
+ * @exception NamingException if a directory server error occurs
+ */
+protected JNDIConnection get(boolean create) throws NamingException {
 JNDIConnection connection = null;
 // Use the pool if available, otherwise use the single connection
 if (connectionPool != null) {
-connection = connectionPool.pop();
-if (connection == null) {
+if (create) {
 connection = create();
+} else {
+connection = connectionPool.pop();
+if (connection == null) {
+connection = create();
+}
 }
 } else {
 singleConnectionLock.lock();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7cc0676..0e10f9d 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -58,6 +58,11 @@
 64805: Correct imports used by JMXPorxyServlet.
 (markt)
   
+  
+Fix JNDIRealm pooling problems retrying on another bad connection. Any
+retries are made on a new connection, just like with the single
+connection scenario. (remm)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [tomcat] 01/04: Add connection pool to JNDI realm

[Rémy Maucherat]

On Tue, Oct 13, 2020 at 1:49 PM Rémy Maucherat  wrote:

That it's the issue. However, since the realm works well in the single
> connection case, I'd just put that loop in authenticate(String username,
> String credentials), keep the same simple design and be done with it.
>

Done. If it doesn't work, feel free to add more refinements. Otherwise,
I'll backport.

Rémy

[tomcat] branch master updated: Always retry on a new connection, even when pooling

[remm]

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/master by this push:
 new 35b2d79  Always retry on a new connection, even when pooling
35b2d79 is described below

commit 35b2d79ad26535deedcc0c6bea2a057138e1bd30
Author: remm 
AuthorDate: Tue Oct 13 14:19:54 2020 +0200

Always retry on a new connection, even when pooling

This keeps the same very simple design as for the single connection
scenario, for now.
---
 java/org/apache/catalina/realm/JNDIRealm.java | 22 +++---
 webapps/docs/changelog.xml|  5 +
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/java/org/apache/catalina/realm/JNDIRealm.java 
b/java/org/apache/catalina/realm/JNDIRealm.java
index 9ab4c10..a6012bd 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -1303,7 +1303,7 @@ public class JNDIRealm extends RealmBase {
 close(connection);
 
 // open a new directory context.
-connection = get();
+connection = get(true);
 
 // Try the authentication again.
 principal = authenticate(connection, username, credentials);
@@ -2373,12 +2373,28 @@ public class JNDIRealm extends RealmBase {
  * @exception NamingException if a directory server error occurs
  */
 protected JNDIConnection get() throws NamingException {
+return get(false);
+}
+
+/**
+ * Open (if necessary) and return a connection to the configured
+ * directory server for this Realm.
+ * @param create when pooling, this forces creation of a new connection,
+ *   for example after an error
+ * @return the connection
+ * @exception NamingException if a directory server error occurs
+ */
+protected JNDIConnection get(boolean create) throws NamingException {
 JNDIConnection connection = null;
 // Use the pool if available, otherwise use the single connection
 if (connectionPool != null) {
-connection = connectionPool.pop();
-if (connection == null) {
+if (create) {
 connection = create();
+} else {
+connection = connectionPool.pop();
+if (connection == null) {
+connection = create();
+}
 }
 } else {
 singleConnectionLock.lock();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d935750..97cf512 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -58,6 +58,11 @@
 64805: Correct imports used by JMXPorxyServlet.
 (markt)
   
+  
+Fix JNDIRealm pooling problems retrying on another bad connection. Any
+retries are made on a new connection, just like with the single
+connection scenario. (remm)
+  
 
   
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org