[JBoss JIRA] Created: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
4:12 a.m.
Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA, JBossAS-5.0.1.GA, JBossAS-5.0.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:20 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Ganesh Ingle updated JBAS-7468:
-------------------------------
Attachment: JBossAuthorizationContext_MemLeak.png
VisualVM showing JBossAuthorizationContext instance
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Attachments: JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:22 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Ganesh Ingle updated JBAS-7468:
-------------------------------
Attachment: HeapMemoryOldGen.png
A graph showing heap usage for "Old Gen" space
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:24 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Ganesh Ingle updated JBAS-7468:
-------------------------------
Attachment: JBossAuthorizationContext.java
Fixed version of org.jboss.security.plugins.authorization.JBossAuthorizationContext
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
9:25 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Anil Saldhana commented on JBAS-7468:
-------------------------------------
Hey Ganesh, thanks for the bug report. We will fix this asap.
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:35 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Ronald van Kuijk commented on JBAS-7468:
----------------------------------------
Is it possible to use JBossSecurity_2.0.4.SP3 (jbosssx.jar, jboss-mc-int.jar
(jboss-server.jar?) ) as a drop-in replacement in JBoss AS 5.1? According to SECURITY-442
it is fixed in there?
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:18 p.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Anil Saldhana updated JBAS-7468:
--------------------------------
Affects Version/s: JBossAS-6.0.0.M1
(was: JBossAS-5.0.1.GA)
(was: JBossAS-5.0.0.GA)
(was: JBossAS-5.1.0.GA)
Ronald, you can do that.
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Fix For: JBossAS-6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:18 p.m.
New subject: [JBoss JIRA] Resolved: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Anil Saldhana resolved JBAS-7468.
---------------------------------
Resolution: Done
Should be fixed for AS6. But you can use the drop in libraries (mentioned by Ronald)
above in AS5.1
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Fix For: JBossAS-6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:18 p.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Anil Saldhana updated JBAS-7468:
--------------------------------
Fix Version/s: JBossAS-6.0.0.M1
Affects Version/s: JBossAS-5.1.0.GA
(was: JBossAS-6.0.0.M1)
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Fix For: JBossAS-6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:09 a.m.
New subject: [JBoss JIRA] Updated: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Ronald van Kuijk updated JBAS-7468:
-----------------------------------
Workaround Description:
For JBoss AS 5.1.0.GA
- replace jbosssx.jar in common/lib with
http://repository.jboss.org/maven2/org/jboss/security/jbosssx/2.0.4.SP3/j...
- replace jboss-security-spi.jar in common/lib with
http://repository.jboss.org/maven2/org/jboss/security/jboss-security-spi/...
Workaround: [Workaround Exists]
Workaround described in little detail above (in the workaround field)
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Fix For: JBossAS-6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
4:59 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plug...
]
Michal Borowiecki commented on JBAS-7468:
-----------------------------------------
Thanks for the workaround.
This issue can hit you quite suddenly. Our monitoring kept showing 100MB of free heap
space and then OutOfMemoryErrors started appearing, monitoring still showing 100MB of free
heap.
"controlFlags" must have grown to over 100MB by that time, and on .add() a new
enlarged copy of the underlying array was being allocated resulting in OutOfMemoryError
while heap usage remained at 100MB below max.
Here is the stack trace for reference, so that someone can google it when it hits them ;)
2010-03-31 20:13:06,791 ERROR [org.apache.catalina.connector.CoyoteAdapter] An exception
or error occurred in the container during the request processing
java.lang.OutOfMemoryError: Java heap space
at java.util.Arrays.copyOf(Arrays.java:2734)
at java.util.ArrayList.ensureCapacity(ArrayList.java:167)
at java.util.ArrayList.add(ArrayList.java:351)
at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:198)
at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:139)
at
org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
at
org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
at
org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:201)
at
org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:643)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:383)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436)
at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:384)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://jira.jboss.org/jira/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Fix For: JBossAS-6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:30 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://issues.jboss.org/browse/JBAS-7468?page=com.atlassian.jira.plugin....
]
Tejas Nevrekar commented on JBAS-7468:
--------------------------------------
Is there a signed jar available for this fix?
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://issues.jboss.org/browse/JBAS-7468
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Labels: JBossAuthorizationContext_leak, JBossAuthorizationContext_memleak,
JBossAuthorizationContext_outofmemory, JBoss_outofmemory, memoryleak, outofmemory
Fix For: 6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:26 a.m.
New subject: [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://issues.jboss.org/browse/JBAS-7468?page=com.atlassian.jira.plugin....
]
George Kandalepas commented on JBAS-7468:
-----------------------------------------
Is there a way to get a copy of the 2 jar files so I can test in my environment?
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://issues.jboss.org/browse/JBAS-7468
Project: Legacy JBoss Application Server 6
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Labels: JBossAuthorizationContext_leak, JBossAuthorizationContext_memleak,
JBossAuthorizationContext_outofmemory, JBoss_outofmemory, memoryleak, outofmemory
Fix For: 6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:42 a.m.
New subject: [JBoss JIRA] (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
[
https://issues.jboss.org/browse/JBAS-7468?page=com.atlassian.jira.plugin....
]
Adam Zovits commented on JBAS-7468:
-----------------------------------
Hi all!
I know this is an old issue concerning an old version of JBoss, but I also have this exact
problem.
After finding and downloading the above mentioned jar files (
http://maven.antelink.com/service/local/repo_groups/public-jboss/content/...
and
http://maven.antelink.com/service/local/repo_groups/public-jboss/content/...
) from an old mirror that wasn't shut down yet, I replaced the relevant ones in a
freshly downloaded JBoss 5.1.0 instance and started deploying our project.
One hour later VisualVM says there are 657,664 instances of SimpleRole, just like before
the proposed workaround.
Did I do something wrong? Or are there any other known fixes, patches, workarounds,
anything?
We'd be grateful for any help in this matter.
Thanks in advance!
Memory leak in
org.jboss.security.plugins.authorization.JBossAuthorizationContext
---------------------------------------------------------------------------------
Key: JBAS-7468
URL: https://issues.jboss.org/browse/JBAS-7468
Project: Application Server 3 4 5 and 6
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-5.1.0.GA
Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5),
Architecture: amd64 64bit, JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
Reporter: Ganesh Ingle
Assignee: Anil Saldhana
Labels: JBossAuthorizationContext_leak, JBossAuthorizationContext_memleak,
JBossAuthorizationContext_outofmemory, JBoss_outofmemory, memoryleak, outofmemory
Fix For: 6.0.0.M1
Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java,
JBossAuthorizationContext_MemLeak.png
Our use case (only security related portion is mentioned here):
Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http
client sends soap request and BASIC auth information, the JBoss server performs
authentication and authorization as per WEB-INF/web.xml configuration.
We did a performance/stability test on above web service. After 8.5 million requests the
server gone out of memory. We did heap dump analysis using VisualVM tool and found that
the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming
most of the memory. This class has a memer array named "controlFlags", this
array was showing 25.7 million ControlFlag entries.
When we investigated the code we found that there is one instance of
JBossAuthorizationManager per security domain and this manager has one instance of
JBossAuthorizationContext. For every authorization the JBossAuthorizationContext
initializes authorization modules and pushes their control flags (instances of class
ControlFlag) in member arrays. When the authorization is complete, a commit/abort is
invoked on all modules and finally the "modules" array is cleared. However, the
"controlFlags" array is not cleared. We checked the entire class, this array
never gets cleared.
We changed the code to clear both "modules" and "controlFlags" array
in a finally block in method JBossAuthorizationContext.authorize(final Resource resource,
final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this
fix, the test was successful which proves the fix worked.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
4394
days inactive
5423
days old
13 comments
7 participants
participants (7)
-
Adam Zovits (JIRA) -
Anil Saldhana (JIRA)
-
Ganesh Ingle (JIRA)
-
George Kandalepas (JIRA)
-
Michal Borowiecki (JIRA)
-
Ronald van Kuijk (JIRA)
-
Tejas Nevrekar (JIRA)