RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

[Daniel Fuchs]

On Wed, 20 Oct 2021 13:35:22 GMT, Martin Balao <mbalao at openjdk.org> wrote:

> I'd like to propose a fix for JDK-8275535. This fix reverts the behavior to the state previous to JDK-8160768, where an authentication failure stops from trying other LDAP servers with the same credentials [1]. After JDK-8160768 we have 2 possible loops to stop: the one that iterates over different URLs and the one that iterates over different endpoints (after a DNS query that returns multiple values).
> 
> No test regressions observed in jdk/com/sun/jndi/ldap.
> 
> --
> [1] - https://hg.openjdk.java.net/jdk/jdk/rev/a609d549992a#l2.137

The concerns are two folds:
- without a regression test, you have to trust that the source changes actually work, and there's typically no verification possible
- without a regression test, the next refactoring change in this area two years from now could undo the fix and nobody would notice

I agree that the changes seem safe and given the history seem to be doing what the fix/PR says they do, so I'd be more concerned with the latter. So if it's practical to add a test I'd rather have one. If the behavior is too hard to  test - then the appropriate keyword would be `noreg-hard` rather than `noreg-trivial` (I am not sure trivial actually qualifies here - I can see no obvious flaw but I'm not sure we can say that there are obviously no flaws - or that a flaw would become obvious to future maintainers if that code was refactored in a way that removed the fix).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6043