[jboss-jira] [JBoss JIRA] Commented: (JBAS-5300) ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache

Brian Stansberry (JIRA) jira-events at lists.jboss.org
Thu Apr 9 13:49:40 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-5300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12461548#action_12461548 ] 

Brian Stansberry commented on JBAS-5300:
----------------------------------------

Release 2.2.12.GA of jboss-common-core, which includes the JBCOMMON-50 fix, is now integrated in AS Branch_5_x and trunk. So that aspect of this issue is resolved for AS 5.1.0.CR1.

> ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache
> -------------------------------------------------------------
>
>                 Key: JBAS-5300
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5300
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.2.1.GA
>         Environment: JDK 1.6.0_04
>            Reporter: Arto Huusko
>            Assignee: Anil Saldhana
>
> JAAS authentication cache is responsible for two classloader leaks through org.jboss.utils.TimedCachePolicy, causing classes of undeployed applications not be unloaded. The second is not a huge problem, but still real, and is related to JBAS-3986.
> First problem is the creation of resolutionTimer. If TimedCachePolicy is used for the first time when my web application is accessed, the resolutionTimer object is created in the context of the web app, and the timer thread attached to the timer inherits the current context class loader, that is my web app's class loader. This results in a permanent reference to that class loader, and it can never be unloaded.
> The second problem is the fact that the expired entries are purged from the cache only when they are accessed. If some credentials are once used, and then never used again, they remain in the cache, and these cached LoginContexts contain references to the web app class loaders.
> First problem is fixable by temporarily changing current thread context class loader when first creating the resolutionTimer.
> The second problem could be fixed by JBoss automatically flushing the authentication cache when the web app is undeployed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list