This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4ba1769 Add option from JAAS to the JNDI realm
4ba1769 is described below
commit 4ba17698d324f4d0d8565a78021c09d1a33e5cf1
Author: remm <[email protected]>
AuthorDate: Tue Oct 20 11:21:36 2020 +0200
Add option from JAAS to the JNDI realm
JNDI connections can allocate things and resources such as thread, this
can avoid classloader leaking.
---
java/org/apache/catalina/realm/JNDIRealm.java | 36 +++++++++++++++++++++++++++
webapps/docs/changelog.xml | 5 ++++
webapps/docs/config/realm.xml | 7 ++++++
3 files changed, 48 insertions(+)
diff --git a/java/org/apache/catalina/realm/JNDIRealm.java
b/java/org/apache/catalina/realm/JNDIRealm.java
index 30527c4..3d952c0 100644
--- a/java/org/apache/catalina/realm/JNDIRealm.java
+++ b/java/org/apache/catalina/realm/JNDIRealm.java
@@ -490,6 +490,14 @@ public class JNDIRealm extends RealmBase {
protected int connectionPoolSize = 1;
+ /**
+ * Whether to use context ClassLoader or default ClassLoader.
+ * True means use context ClassLoader, and True is the default
+ * value.
+ */
+ protected boolean useContextClassLoader = true;
+
+
// ------------------------------------------------------------- Properties
public boolean getForceDnHexEscape() {
@@ -1246,6 +1254,26 @@ public class JNDIRealm extends RealmBase {
return clazz.getConstructor().newInstance();
}
+ /**
+ * Sets whether to use the context or default ClassLoader.
+ * True means use context ClassLoader.
+ *
+ * @param useContext True means use context ClassLoader
+ */
+ public void setUseContextClassLoader(boolean useContext) {
+ useContextClassLoader = useContext;
+ }
+
+ /**
+ * Returns whether to use the context or default ClassLoader.
+ * True means to use the context ClassLoader.
+ *
+ * @return The value of useContextClassLoader
+ */
+ public boolean isUseContextClassLoader() {
+ return useContextClassLoader;
+ }
+
// ---------------------------------------------------------- Realm Methods
/**
@@ -2487,7 +2515,12 @@ public class JNDIRealm extends RealmBase {
* @throws NamingException if a directory server error occurs
*/
protected void open(JNDIConnection connection) throws NamingException {
+ ClassLoader ocl = null;
try {
+ if (!isUseContextClassLoader()) {
+ ocl = Thread.currentThread().getContextClassLoader();
+
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
+ }
// Ensure that we have a directory context available
connection.context =
createDirContext(getDirectoryContextEnvironment());
} catch (Exception e) {
@@ -2504,6 +2537,9 @@ public class JNDIRealm extends RealmBase {
// reset it in case the connection times out.
// the primary may come back.
connectionAttempt = 0;
+ if (!isUseContextClassLoader()) {
+ Thread.currentThread().setContextClassLoader(ocl);
+ }
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1313b0c..db32630 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -75,6 +75,11 @@
<code>ErrorReportValve</code> that returns response as JSON instead of
HTML. (kfujino)
</add>
+ <fix>
+ JNDIRealm connections should only be created with the container
+ classloader as the thread context classloader, just like for the JAAS
+ realm. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/config/realm.xml b/webapps/docs/config/realm.xml
index 628b186..eaa8872 100644
--- a/webapps/docs/config/realm.xml
+++ b/webapps/docs/config/realm.xml
@@ -508,6 +508,13 @@
specified, the default value of <code>302</code> is used.</p>
</attribute>
+ <attribute name="useContextClassLoader" required="false">
+ <p>Instructs JNDIRealm to use the context class loader when opening the
+ connection for the JNDI provider. The default value is
+ <code>true</code>. To load classes using the container's classloader,
+ specify <code>false</code>.</p>
+ </attribute>
+
<attribute name="useDelegatedCredential" required="false">
<p>When the JNDIRealm is used with the SPNEGO authenticator, delegated
credentials for the user may be available. If such credentials are
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
