Uploaded image for project: 'CAS Server'
  1. CAS-987

Permit use of LDAP connections pool in AbstractLdapPersonDirectoryCredentialsToPrincipalResolver and AbstractLdapUsernamePasswordAuthenticationHandler

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects versions: 3.3.5.1, 3.4.8
    • Fix versions: 3.4.9
    • Components: Authentication, LDAP
    • Labels:
      None
    • Environment:
      CentOS 5.6 32bit
      Java oracle JDK 1.6.0u24
      Apache Tomcat 6.0.32
      CAS Authentication method used : X509 (upn field) + X509 (CN field) + Login/password on Active Directory, each with one CredentialToPrincipalNameResolver attached.

      Description

      After a little play with jmeter, it points out that I have an issue with LDAP connection times. We use SSL to secure connection between CAS and Active Directory and it appeared that time needed to establish a connection is about 200ms. With out authentification configuration, I get 4 connections for a login/password authentication : 1 for each authentication method & 1 for authentication checking. A bit expensive I think.
      I looked at the sources and unfortunately, the two classes involved in ldap connections doesn't allow connection pooling :

      • AbstractLdapPersonDirectoryCredentialsToPrincipalResolver requires a LdapContextSource bean which I don't know how to pool. I've tested with org.springframework.ldap.pool.factory.PoolingContextSource and got an exception (spring cannot cast a ContextSource to a LdapContextSource)
      • AbstractLdapUsernamePasswordAuthenticationHandler uses only one ContextSource for 2 purposes : authentication & lookup. I've read that authentication connections cannot be pooled because of authentication context that is not reset between uses, but lookup connection could/should be pooled I think.

      So i made a test : I copied these two abstract classes and daughter classes, made needed modifications and it seems to work as I expected.

      But as I'm not a java expert, I don't know if it's a good idea.

        Attachments

        1. auth.principal.patch
          4 kB
          Philippe Marasse
        2. ldap.adaptor.patch
          3 kB
          Philippe Marasse

          Activity

            People

            • Assignee:
              battags ScottS
              Reporter:
              pmarasse Philippe Marasse
            • Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: