Subject: Grouper Developers Forum
- From: Tom Zeller <>
- To: "Michael R. Gettes" <>
- Cc: Jim Fox <>, Grouper Dev <>
- Subject: Re: [grouper-dev] UW's initial look at grouper
- Date: Fri, 17 Apr 2009 12:25:32 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; b=ondPksx8pl4sxmZ2DaMqZ2AIdXSAw+RshL0qY5Sb2op50w3zomiPL44Xzpo33D92t5 kL0Ya+cLCfmLlkxJMCD4wdmIjeVfHvL4gfXE9zObZOGwSwKH7IuVDtR2ZFvAHtbniIiU E3syLYtcbcLpMTYkFxt2p6ci+ukmNk7Qrgc2o=
For what it's worth :
"If you use connection pooling [with TLS], you might be compromising the security of your application."
When Not to Use Pooling
Pooled connections are intended to be reused. Therefore, if you plan to perform operations on a Context instance that might alter the underlying connection's state, then you should not use connection pooling for that Context instance. For example, if you plan to invoke the Start TLS extended operation on a Context instance, or plan to change security-related properties (such as "java.naming.security.principal" or "java.naming.security.protocol") after the initial context has been created, you should not use connection pooling for that Context instance because the LDAP provider does not track any such state changes. If you use connection pooling in such situations, you might be compromising the security of your application.
On Fri, Apr 17, 2009 at 12:20 PM, Michael R. Gettes <> wrote:
I have always done it with SSL and it seems to work just
fine. I admit I have not done so with TLS.
On Apr 17, 2009, at 13:18, Jim Fox wrote:
Sun's own documentation says not to try to use connection pooling with
TLS. Ignoring that I've tried many times to get it to work, both with
grouper and with a shib 1.3 IdP. All without success. The VT library
works just fine right out of the box.
On Fri, 2009-04-17 at 06:53 -0700, Michael R. Gettes wrote:
I thought the issue of the JNDI adapter was resolved some time
ago to allow for connection pooling? This involved the setting
of an environment variable in the grouper code enabling the pooling
built into the sun code. I also believe the sun jndi does support
ssl and connection pooling for ssl. What leads you to believe it
doesn't? What am i missing?
On Apr 16, 2009, at 17:05, Jim Fox wrote:
(this is my initial look, not RLBob's)
We are looking at Grouper as a possibly registry for our groups
presently supported by an LDAP directory and a RESTful webservice.
testing and planning, not yet installing. These are some random
we've encountered. Not complaining, just thought I'd let you know.
1) Jndi source adapter
The jndi classes from Sun do not support ldap connections using ssl or
tls very well. They do not support connection pooling, thereby
a lot of connection overhead. We wrote a source adapter using the
library from virginia tech - the one used by shibboleth. It works
a bit more efficiently.
- UW's initial look at grouper, Jim Fox, 04/16/2009
- Re: [grouper-dev] UW's initial look at grouper, Tom Barton, 04/16/2009
- Re: [grouper-dev] UW's initial look at grouper, Michael R. Gettes, 04/17/2009
- Re: [grouper-dev] UW's initial look at grouper, RL 'Bob' Morgan, 04/17/2009
- Re: [grouper-dev] UW's initial look at grouper, GW Brown, Information Systems and Computing, 04/20/2009
Archive powered by MHonArc 2.6.16.