LDAP Connection Leak During @RefreshScope Refresh - PRs #8098 & #8099
30 views
Skip to first unread message
steven gladwell
Dec 9, 2025, 2:59:26 PMDec 9
to CAS Community
Hello CAS Community,
I've discovered and fixed an LDAP connection leak issue affecting CAS 7.3.x and master that occurs during Spring @RefreshScope refresh cycles (triggered via /actuator/refresh endpoint).
Problem:
When @RefreshScope bean recreation occurs, LdapAuthenticationHandler instances wrapped in BeanContainer are not properly destroyed. Spring only manages the BeanContainer lifecycle, not the handlers inside it. This prevents LdapAuthenticationHandler.destroy() from being called, leaving LDAP connection pools open and leaking threads with each refresh cycle.
Validation:
I confirmed this using VisualVM thread profiling:
-
Before fix: Thread count increases with each /actuator/refresh call, and live thread viewer shows multiple ldap threads.
After fix: Thread count remains flat, live thread viewer does not show multiple, concurrent ldap threads - connections properly closed
Solution:
LdapAuthenticationPlanConfiguration now implements DisposableBean to explicitly track and destroy LDAP handlers during bean destruction. This follows the same pattern already used by LdapHttpSecurityCasWebSecurityConfigurer in the same file (line 139).
Pull Requests:
Master: https://github.com/apereo/cas/pull/8099
- 7.3.x
backport: https://github.com/apereo/cas/pull/8098
Bot Auto-Closed:
Both PRs were auto-closed by the bot requesting unit tests. However, this is a Spring lifecycle management issue that's difficult to test in isolation because:
- Unit tests don't exercise Spring Cloud's @RefreshScope proxy destruction behavior
- The issue requires actual LDAP connection pool behavior over multiple refresh cycles
- The existing precedent (LdapHttpSecurityCasWebSecurityConfigurer.destroy()) in the same file also has no dedicated lifecycle tests
Request for Feedback:
We'd appreciate maintainer review of these PRs. Happy to discuss the testing approach or make any changes needed. If there's a practical way to add lifecycle tests for @RefreshScope behavior, we're open to implementing that.
Thank you for your consideration.
Ray Bon
Dec 9, 2025, 4:24:26 PMDec 9
to cas-...@apereo.org
Steven,
There is a unit test for LdapPasswordSynchronizationConfiguration (found in the same directory as the file you modified).
It may not provide a test of @RefreshScope, but you may be able to verify that the correct beans are created.
There are also functional tests in ci/tests/ldap that may provide some guidance.
I see nothing related to spring.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of steven gladwell <steven....@gmail.com>
Sent: December 9, 2025 11:22
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] LDAP Connection Leak During @RefreshScope Refresh - PRs #8098 & #8099
Sent: December 9, 2025 11:22
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] LDAP Connection Leak During @RefreshScope Refresh - PRs #8098 & #8099
|
You don't often get email from steven....@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b54e4dba-f1d9-418a-9b93-b0b7e1758c76n%40apereo.org.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b54e4dba-f1d9-418a-9b93-b0b7e1758c76n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages