Hello Spring community,

DefaultSpringSecurityContextSource extends AbstractContextSource hierarchy, and overrides pooling to be enabled by default. Pooling connections/DirContexts without validation configured IMO is wrong. Since Sun/Oracle doesn't have API for configuring validation, Spring LDAP support via PoolingContextSource and DirContextValidator could be recommended in DefaultSpringSecurityContextSource javadoc.

Maybe even pooling should be disabled in DefaultSpringSecurityContextSource by default and
- enabling one could be recommended by using PoolingContextSource, or
- maybe PooledSpringSecurityContextSource could be provided which would extend PoolingContextSource and wrap DefaultSpringSecurityContextSource.

Another, javadoc related issue in DefaultSpringSecurityContextSource is that if one configures a bean of this class via Spring XML, in Eclipse/STS at least auto-complete for pooled property would use javadoc from AbstractContextSource.setPooled which states that default for pooled is false, which could be misleading. Maybe DefaultSpringSecurityContextSource could override setPooled, call super.setPooled, but override javadoc, to avoid any confusion.

Regards,
Stevo.