[
https://jira.jboss.org/jira/browse/JBAS-5300?page=com.atlassian.jira.plug...
]
Brian Stansberry commented on JBAS-5300:
----------------------------------------
Release 2.2.12.GA of jboss-common-core, which includes the JBCOMMON-50 fix, is now
integrated in AS Branch_5_x and trunk. So that aspect of this issue is resolved for AS
5.1.0.CR1.
ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache
-------------------------------------------------------------
Key: JBAS-5300
URL:
https://jira.jboss.org/jira/browse/JBAS-5300
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.2.1.GA
Environment: JDK 1.6.0_04
Reporter: Arto Huusko
Assignee: Anil Saldhana
JAAS authentication cache is responsible for two classloader leaks through
org.jboss.utils.TimedCachePolicy, causing classes of undeployed applications not be
unloaded. The second is not a huge problem, but still real, and is related to JBAS-3986.
First problem is the creation of resolutionTimer. If TimedCachePolicy is used for the
first time when my web application is accessed, the resolutionTimer object is created in
the context of the web app, and the timer thread attached to the timer inherits the
current context class loader, that is my web app's class loader. This results in a
permanent reference to that class loader, and it can never be unloaded.
The second problem is the fact that the expired entries are purged from the cache only
when they are accessed. If some credentials are once used, and then never used again, they
remain in the cache, and these cached LoginContexts contain references to the web app
class loaders.
First problem is fixable by temporarily changing current thread context class loader when
first creating the resolutionTimer.
The second problem could be fixed by JBoss automatically flushing the authentication
cache when the web app is undeployed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira