Hi All,

I believe we found a problem with org.jboss.pool.jdbc.xa.wrapper.XADataSourceImpl connection pool. It is 100% reproducible on our systems that under certain conditions a connection is given from the pool to a user with different database login credentials.

We would like to troubleshoot the issue but source code of this class as well as the rest of the package are not available to us. We can't find them either in zips at http://www.jboss.org/snapshots/ (firewall blocks CVS) or through cvsweb on SourceForge.

Here's how it happens. Our web app is not using any of J2EE authentication. We simply let in anybody who successfully authenticates against the database (DB2, both net and app drivers were tested). We enable connection pool logging and start JBoss, the pool is empty. A user with valid login/password enters the application, we lookup the data source and call getConnection(login, password). User is then doing some actions which lead to ((DataSource)lookup("..")).getConnection() being called at least two more times. We observe in the log that pool always gives out the same connection, the total number of connections in the pool is always 1.
This user now closes the browser. Then the browser is opened, and he accesses the web application again, now supplying wrong login and/or password. Application invalidates the session when this request arrives. Our code then calls getConnection(wronglogin, wrongpassword), and instead of
getting DB2 SQL exception as we usually do in this situation, we get *the same* old connection from the pool. Apparently, no attempts are made to connect to DB2 with wrong credentials. Now, unauthorized user is riding someone else's connection.

As a side note, there's also a problem inside connection wrapper implementation that leads to throwing NullPointerException instead of SQLException when connection is not established because of wrong credentials.

We'll be grateful for any ideas on fixing this. Thank you!