ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache ------------------------------------------------------------- Key: JBAS-5300 URL: http://jira.jboss.com/jira/browse/JBAS-5300 Project: JBoss Application Server Issue Type: Bug Security Level: Public (Everyone can see) Components: ClassLoading Affects Versions: JBossAS-4.2.1.GA Environment: JDK 1.6.0_04 Reporter: Arto Huusko Assigned To: Scott M Stark JAAS authentication cache is responsible for two classloader leaks through org.jboss.utils.TimedCachePolicy, causing classes of undeployed applications not be unloaded. The second is not a huge problem, but still real, and is related to JBAS-3986. First problem is the creation of resolutionTimer. If TimedCachePolicy is used for the first time when my web application is accessed, the resolutionTimer object is created in the context of the web app, and the timer thread attached to the timer inherits the current context class loader, that is my web app's class loader. This results in a permanent reference to that class loader, and it can never be unloaded. The second problem is the fact that the expired entries are purged from the cache only when they are accessed. If some credentials are once used, and then never used again, they remain in the cache, and these cached LoginContexts contain references to the web app class loaders. First problem is fixable by temporarily changing current thread context class loader when first creating the resolutionTimer. The second problem could be fixed by JBoss automatically flushing the authentication cache when the web app is undeployed. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira