You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by bu...@apache.org on 2003/03/05 17:37:53 UTC

DO NOT REPLY [Bug 17677] New: - Pooled connection architecture vulnerable to double use

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17677>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17677

Pooled connection architecture vulnerable to double use

           Summary: Pooled connection architecture vulnerable to double use
           Product: Commons
           Version: 1.4 Final
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Dbcp
        AssignedTo: commons-dev@jakarta.apache.org
        ReportedBy: flawlor@athensgroup.com


There are several circumstances where two different pieces of code can be 
inadvertently sharing the same connection.  Obviously this is a serious 
problem.  Oftentimes this manifests itself as an error about the connection 
suddenly becoming closed, in an invalid state, etc.  Notice how often these 
symptoms are reported in various forums when people start using connection 
pools.

In a transactional environment this can be especially serious since either of 
the users of the connection may commit it while the other has made partial 
updates.  This can easily lead to corruption of the database.

Debugging this problem is especially difficult since it may only appear 
intermittently and under load.  It can be very difficult to reproduce for 
debugging.  This is even more of a problem when connections are closed in 
finalize() methods (a common practice) because of their asynchronous and 
delayed behavior.

There is a fundamental architectural flaw which makes this all possible.  When 
a pooled connection (e.g., org.apache.commons.dbcp.PoolableConnection) is 
returned to the pool, the very same instance is later handed out.  Note that 
this is not necessary for reuse of the underlying real connection (e.g.,  
java.sql.Connection).  A new wrapper class could be instantiated around the 
existing real connection and the old one discarded.  Because the same wrapper 
class instance is handed out multiple times, it makes it possible for 
inadvertent sharing to occur.

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org