This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 6fe9ef6 Add option from JAAS to the JNDI realm
6fe9ef6 is described below
commit 6fe9ef6c9af4682178cfb48e5fab1f132da0464d
Author: remm <[email protected]>
AuthorDate: Tue Oct 20 11:21:36 2020 +0200
Add option from JAAS to the JNDI realm
JNDI connections can allocate things and resources such as thread, this
can avoid classloader leaking.
---
java/org/apache/catalina/realm/JNDIRealm.java | 36 +++++++++++++++++++++++++++
webapps/docs/changelog.xml | 5 ++++
webapps/docs/config/realm.xml | 7 ++++++
3 files changed, 48 insertions(+)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 21e9f17..e7543d8 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -490,6 +490,14 @@ public class JNDIRealm extends RealmBase {
protected int connectionPoolSize = 1;
+ /**
+ * Whether to use context ClassLoader or default ClassLoader.
+ * True means use context ClassLoader, and True is the default
+ * value.
+ */
+ protected boolean useContextClassLoader = true;
+
+
// ------------------------------------------------------------- Properties
public boolean getForceDnHexEscape() {
@@ -1246,6 +1254,26 @@ public class JNDIRealm extends RealmBase {
return clazz.getConstructor().newInstance();
}
+ /**
+ * Sets whether to use the context or default ClassLoader.
+ * True means use context ClassLoader.
+ *
+ * @param useContext True means use context ClassLoader
+ */
+ public void setUseContextClassLoader(boolean useContext) {
+ useContextClassLoader = useContext;
+ }
+
+ /**
+ * Returns whether to use the context or default ClassLoader.
+ * True means to use the context ClassLoader.
+ *
+ * @return The value of useContextClassLoader
+ */
+ public boolean isUseContextClassLoader() {
+ return useContextClassLoader;
+ }
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -2486,7 +2514,12 @@ public class JNDIRealm extends RealmBase {
* @throws NamingException if a directory server error occurs
*/
protected void open(JNDIConnection connection) throws NamingException {
+ ClassLoader ocl = null;
try {
+ if (!isUseContextClassLoader()) {
+ ocl = Thread.currentThread().getContextClassLoader();
+
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
+ }
// Ensure that we have a directory context available
connection.context =
createDirContext(getDirectoryContextEnvironment());
} catch (Exception e) {
@@ -2503,6 +2536,9 @@ public class JNDIRealm extends RealmBase {
// reset it in case the connection times out.
// the primary may come back.
connectionAttempt = 0;
+ if (!isUseContextClassLoader()) {
+ Thread.currentThread().setContextClassLoader(ocl);
+ }
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f174bc9..1f72a47 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -75,6 +75,11 @@
<code>ErrorReportValve</code> that returns response as JSON instead of
HTML. (kfujino)
</add>
+ <fix>
+ JNDIRealm connections should only be created with the container
+ classloader as the thread context classloader, just like for the JAAS
+ realm. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index d14fde1..05e50bf 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -508,6 +508,13 @@
specified, the default value of <code>302</code> is used.</p>
</attribute>
+ <attribute name="useContextClassLoader" required="false">
+ <p>Instructs JNDIRealm to use the context class loader when opening the
+ connection for the JNDI provider. The default value is
+ <code>true</code>. To load classes using the container's classloader,
+ specify <code>false</code>.</p>
+ </attribute>
+
<attribute name="useDelegatedCredential" required="false">
<p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
