I’ve got Tomcat configured with a JNDI Realm talking to Microsoft Active Directory over LDAP. It works perfectly when ActiveDirectory works; but when ActiveDirectory gets flaky (which it sometimes does), Tomcat doesn’t handle it well. In one particular case, I’ve got one thread stuck trying to talk to ActiveDirectory and 199 additional threads waiting for the first thread to release its lock on the JNDIRealm. Relevant bits of the stack dump are below.
My first question is: is there a way to configure the JNDIRealm to be more fault-tolerant? It looks like I could add an alternateURL attribute -- but in this case, it seems like the connection is hung and the JNDIRealm doesn't recognize a failure, so it wouldn't fail over to the alternateURL. Is there anything else I can do to allow the JNDIRealm to recover from this situation? My second question is: really -- authentication is serialized? Then I realized that the big bold TODO in the docs would address this problem. ( http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/JNDIRealm.html). Bummer. I ought to get coding on that... Any thoughts appreciated! Thanks, Pat. Here’s one of the 199 blocked threads: "http-8080-200" daemon prio=10 tid=0x00007f1de0073800 nid=0x7f1e waiting for monitor entry [0x00007f1dbcd8c000] java.lang.Thread.State: BLOCKED (on object monitor) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1044) - waiting to lock <0x0000000780053fe0> (a org.apache.catalina.realm.JNDIRealm) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:945) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:523) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:679) Here’s the blocking thread: "http-8080-4" daemon prio=10 tid=0x00007f1de000d800 nid=0x2332 in Object.wait() [0x00007f1e1c2d9000] java.lang.Thread.State: TIMED_WAITING (on object monitor) at java.lang.Object.wait(Native Method) - waiting on <0x00000007843fdc38> (a com.sun.jndi.ldap.LdapRequest) at com.sun.jndi.ldap.Connection.readReply(Connection.java:447) - locked <0x00000007843fdc38> (a com.sun.jndi.ldap.LdapRequest) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) - locked <0x00000007843fdbd8> (a com.sun.jndi.ldap.LdapClient) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210) - locked <0x00000007843fdbd8> (a com.sun.jndi.ldap.LdapClient) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2593) at com.sun.jndi.ldap.LdapCtx.ensureOpen(LdapCtx.java:2567) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1932) at com.sun.jndi.ldap.LdapCtx.doSearchOnce(LdapCtx.java:1924) at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1317) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:231) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:139) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:127) at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:140) at org.apache.catalina.realm.JNDIRealm.bindAsUser(JNDIRealm.java:1562) at org.apache.catalina.realm.JNDIRealm.checkCredentials(JNDIRealm.java:1416) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1092) - locked <0x0000000780053fe0> (a org.apache.catalina.realm.JNDIRealm) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:977) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:523) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:679) * * * *
