You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2020/10/20 09:28:11 UTC
[tomcat] branch 8.5.x updated: Add option from JAAS to the JNDI
realm
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new c7a383d Add option from JAAS to the JNDI realm
c7a383d is described below
commit c7a383d97977dbf84017ee6ac7f62712d1a1709f
Author: remm <re...@apache.org>
AuthorDate: Tue Oct 20 11:21:36 2020 +0200
Add option from JAAS to the JNDI realm
JNDI connections can allocate things and resources such as thread, this
can avoid classloader leaking.
---
java/org/apache/catalina/realm/JNDIRealm.java | 36 +++++++++++++++++++++++++++
webapps/docs/changelog.xml | 5 ++++
webapps/docs/config/realm.xml | 7 ++++++
3 files changed, 48 insertions(+)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java b/java/org/apache/catalina/realm/JNDIRealm.java
index e5d6faf..daa76bf 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -498,6 +498,14 @@ public class JNDIRealm extends RealmBase {
protected int connectionPoolSize = 1;
+ /**
+ * Whether to use context ClassLoader or default ClassLoader.
+ * True means use context ClassLoader, and True is the default
+ * value.
+ */
+ protected boolean useContextClassLoader = true;
+
+
// ------------------------------------------------------------- Properties
public boolean getForceDnHexEscape() {
@@ -1254,6 +1262,26 @@ public class JNDIRealm extends RealmBase {
return clazz.getConstructor().newInstance();
}
+ /**
+ * Sets whether to use the context or default ClassLoader.
+ * True means use context ClassLoader.
+ *
+ * @param useContext True means use context ClassLoader
+ */
+ public void setUseContextClassLoader(boolean useContext) {
+ useContextClassLoader = useContext;
+ }
+
+ /**
+ * Returns whether to use the context or default ClassLoader.
+ * True means to use the context ClassLoader.
+ *
+ * @return The value of useContextClassLoader
+ */
+ public boolean isUseContextClassLoader() {
+ return useContextClassLoader;
+ }
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -2502,7 +2530,12 @@ public class JNDIRealm extends RealmBase {
* @throws NamingException if a directory server error occurs
*/
protected void open(JNDIConnection connection) throws NamingException {
+ ClassLoader ocl = null;
try {
+ if (!isUseContextClassLoader()) {
+ ocl = Thread.currentThread().getContextClassLoader();
+ Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
+ }
// Ensure that we have a directory context available
connection.context = createDirContext(getDirectoryContextEnvironment());
} catch (Exception e) {
@@ -2519,6 +2552,9 @@ public class JNDIRealm extends RealmBase {
// reset it in case the connection times out.
// the primary may come back.
connectionAttempt = 0;
+ if (!isUseContextClassLoader()) {
+ Thread.currentThread().setContextClassLoader(ocl);
+ }
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 108a9e1..d4c8583 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -67,6 +67,11 @@
connection scenario. Also remove all connections from the pool after
an error. (remm)
</fix>
+ <fix>
+ JNDIRealm connections should only be created with the container
+ classloader as the thread context classloader, just like for the JAAS
+ realm. (remm)
+ </fix>
</changelog>
</subsection>
<subseciton name="Coyote">
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index ba8c217..4f515fb 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -508,6 +508,13 @@
specified, the default value of <code>302</code> is used.</p>
</attribute>
+ <attribute name="useContextClassLoader" required="false">
+ <p>Instructs JNDIRealm to use the context class loader when opening the
+ connection for the JNDI provider. The default value is
+ <code>true</code>. To load classes using the container's classloader,
+ specify <code>false</code>.</p>
+ </attribute>
+
<attribute name="useDelegatedCredential" required="false">
<p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org