Bug 50775 - JNDIRealm fails with ServiceUnavailableException and NotContextException
Summary: JNDIRealm fails with ServiceUnavailableException and NotContextException
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.29
Hardware: PC Linux
: P2 major (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on: 33774
Blocks:
  Show dependency tree
 
Reported: 2011-02-14 16:19 UTC by Dan McLaughlin
Modified: 2011-02-17 18:57 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan McLaughlin 2011-02-14 16:19:09 UTC
+++ This bug was initially created as a clone of Bug #33774 +++
JNDIRealm fails with ServiceUnavailableException and NotContextException

We are experiencing an issue very similar to the one reported in https://issues.apache.org/bugzilla/show_bug.cgi?id=33774

After Tomcat is running for some period of time, any attempts to use the JNDI Realm fail with a ServiceUnavailableException and NotContextException (see full exception below).  A restart of Tomcat is required to fix the problem.  We only see this issue on Linux (Linux details below). We are running the exact same Tomcat binaries (not the native libraries of course) and configuration on Windows 2003 R2 and AIX 5.3 and we don't see this issue. I added alternateURL in hopes it might help, but the problem still exists.  

My JNDI Realm Definition:

      <Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap://ldap01:389"
	alternateURL="ldap://ldap02:389"
        connectionName="uid=ldapbind,cn=Applications,cn=MYSCOPE"
        connectionPassword="********"
        userBase="cn=MYSCOPE"
        userSearch="(uid={0})"
        userSubtree="true"
        roleBase="cn=MYSCOPE"
        roleSearch="(uniqueMember={0})"
        roleSubtree="true"
        roleName="cn"
      />

Tomcat Version Information:

Feb 14, 2011 5:12:15 AM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
...
Feb 14, 2011 5:12:19 AM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
...
Feb 14, 2011 5:12:31 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.29

Java Version Information:
[root@AS01 bin]# ./java -version
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) Server VM (build 17.1-b03, mixed mode)

Linux Version Information:
[root@AS01 ~]# cat /etc/redhat-release 
CentOS release 5.3 (Final)
[root@AS01 ~]# uname -a
Linux AS01.dev.local 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 09:19:18 EDT 2009 i686 i686 i386 GNU/Linux


Feb 14, 2011 2:17:12 PM org.apache.catalina.realm.JNDIRealm authenticate
WARNING: Exception performing authentication
javax.naming.ServiceUnavailableException: ldap01:389; socket closed; remaining name 'cn=MYSCOPE'
	at com.sun.jndi.ldap.Connection.readReply(Connection.java:419)
	at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)
	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)
	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1962)
	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1824)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
	at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1340)
	at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1188)
	at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1147)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1089)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:947)
	at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
	at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:269)
	at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:81)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
	at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
	at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
	at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
	at java.lang.Thread.run(Thread.java:662)
Feb 14, 2011 2:17:12 PM org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.NotContextException: Not an instance of DirContext
	at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(InitialDirContext.java:92)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
	at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1340)
	at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1188)
	at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:1147)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1089)
	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:994)
	at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
	at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:269)
	at org.apache.catalina.valves.RemoteAddrValve.invoke(RemoteAddrValve.java:81)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
	at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:861)
	at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
	at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1584)
	at java.lang.Thread.run(Thread.java:662)
Comment 1 Mark Thomas 2011-02-17 18:57:30 UTC
It looks like the connection is timing out but the attempt to reconnect is failing. The NotContextException is really odd. That it works on Windows and AIX but not Linux points to a JVM bug, rather than a Tomcat issue.

It might be possible to figure out a work around with more information although the Tomcat developers generally don't like putting workarounds for JVM bugs, OS bugs etc into the Tomcat codebase.

Ideally, a reproducible test case is required. In these circumstances that looks unlikely.

The best way forward would be to use the users list to help you debug. Personally, I'd run a Tomcat instance configured to allow remote debugging (suitably secured) and when the error starts happening debug my way through the Tomcat and JVM code to see if I could figure out what the problem was. I'd also have a working instance to hand so I could compare the two.