2 Replies Latest reply on Nov 15, 2001 8:47 PM by David Jencks

    XADataSourceImpl possible bug

    Sergey Newbie

      Hi All,

      I believe we found a problem with org.jboss.pool.jdbc.xa.wrapper.XADataSourceImpl connection pool. It is 100% reproducible on our systems that under certain conditions a connection is given from the pool to a user with different database login credentials.

      We would like to troubleshoot the issue but source code of this class as well as the rest of the package are not available to us. We can't find them either in zips at http://www.jboss.org/snapshots/ (firewall blocks CVS) or through cvsweb on SourceForge.

      Here's how it happens. Our web app is not using any of J2EE authentication. We simply let in anybody who successfully authenticates against the database (DB2, both net and app drivers were tested). We enable connection pool logging and start JBoss, the pool is empty. A user with valid login/password enters the application, we lookup the data source and call getConnection(login, password). User is then doing some actions which lead to ((DataSource)lookup("..")).getConnection() being called at least two more times. We observe in the log that pool always gives out the same connection, the total number of connections in the pool is always 1.
      This user now closes the browser. Then the browser is opened, and he accesses the web application again, now supplying wrong login and/or password. Application invalidates the session when this request arrives. Our code then calls getConnection(wronglogin, wrongpassword), and instead of
      getting DB2 SQL exception as we usually do in this situation, we get *the same* old connection from the pool. Apparently, no attempts are made to connect to DB2 with wrong credentials. Now, unauthorized user is riding someone else's connection.

      As a side note, there's also a problem inside connection wrapper implementation that leads to throwing NullPointerException instead of SQLException when connection is not established because of wrong credentials.

      We'll be grateful for any ideas on fixing this. Thank you!

        • 1. Re: XADataSourceImpl possible bug
          Andreas Schaefer Apprentice

          To see the code you have to checkout CVS module "jbosspool" with branch "Branch_2_4".

          Andy

          • 2. Re: XADataSourceImpl possible bug
            David Jencks Master

            1. You can almost certainly get rid of the npe by setting blocking= true and a blocking timeout if you wish.

            2. I'm not very familiar with the XADataSourceLoader login code. The pools actually support a per-user pooling strategy, although per-factory is the default. I'm not sure if you can set this parameter in XADataSourceLoader.

            2.5 Using jboss 3 and ConnectionFactoryLoaders and possibly jboss2.4.4 and ConnectionFactoryLoaders you definitely can set the pool to per-user. I'm not sure how much of this will work if you use application-managed signon, but I suggest you use h2ee security to keep track of who your users are. You will then be able to easily write a new PrincipalMapping class that takes the users name and password, makes a Subject, and gives it to the driver for login, and uses it as a pool key.

            Note that if you have many users.... you should set the idle timeout short so you don't have zillions of connections for people who are long gone and far away.