In following code ( changed based on example code given in tomcat-jdbc site ), I first create the connection pool using correct username and password. After sometime I change the username and password to wrong one but still connection success. I have set the testOnBorrow to true which should test the connection when it is issued. Can someone explain why the code does not check on password when it issue a connection ?
My code
PoolProperties p = new PoolProperties();
p.setUrl("myurl");
p.setDriverClassName("oracle.jdbc.driver.OracleDriver");
p.setUsername("test");
p.setPassword("bsc");
p.setJmxEnabled(true);
p.setTestWhileIdle(false);
p.setTestOnBorrow(true);
p.setValidationQuery("SELECT 1");
p.setTestOnReturn(true);
p.setValidationInterval(30000);
p.setTimeBetweenEvictionRunsMillis(30000);
p.setMaxActive(100);
p.setInitialSize(10);
p.setMaxWait(1000);
p.setRemoveAbandonedTimeout(60);
p.setMinEvictableIdleTimeMillis(30000);
p.setMinIdle(10);
p.setLogAbandoned(true);
p.setRemoveAbandoned(true);
p.setJdbcInterceptors(
"org.apache.tomcat.jdbc.pool.interceptor.ConnectionState;" +
"org.apache.tomcat.jdbc.pool.interceptor.StatementFinalizer");
DataSource datasource = new DataSource();
datasource.setPoolProperties(p);
datasource.getPoolProperties().setUsername("Correct");
datasource.getPoolProperties().setPassword("Correct");
for (int i = 0; i < 1000; i++) {
if (i == 6) {
System.out.println("Updating wrong user.");
datasource.getPoolProperties().setUsername("Wrong");
datasource.getPoolProperties().setPassword("Wrong");
}
Connection con = null;
try {
System.out.println("Creating connection - " + i);
con = datasource.getConnection();
System.out.println("Done. connection status is open " + con.isClosed());
Statement st = con.createStatement();
ResultSet rs = st.executeQuery(select);
int cnt = 1;
while (rs.next()) {
System.out.println((cnt++) + ". Host:" + rs.getString(1));
}
rs.close();
st.close();
System.out.println("Done - \n");
} finally {
if (con != null) try {
con.close();
} catch (Exception ignore) {
}
}
According to Oracle developers credentials are used only to authenticate the establishing of the connection. Once the connection is established the individual packets that flow through are not checked for the validity of the credentials. This implementation can be argued from both ends but Oracle disagree's that they should validate already established connections. There are some good reasons for it but again it is arguable. So as @Ironluca pointed in the comment your pooled open connections will not be validated again.
If you have requirement to invalidate the sessions it is possible to kill those connections aka sessions on the database side. That will need DBA access - can't remember the exact sql but I believe it might be v$session table.