]
David Lloyd commented on ELY-1237:
----------------------------------
This is somewhat deceptive, because in this case AutoCloseable is a convenience interface.
If success() or fail() are called, this also "closes" the context.
That said, using try-with-resources wherever possible and convenient is probably a good
idea. The runAsIdentity cases definitely need to be fixed because they are not calling
close() nor success() or fail().
Coverity, Resource leak in SecurityIdentity (Elytron)
-----------------------------------------------------
Key: ELY-1237
URL:
https://issues.jboss.org/browse/ELY-1237
Project: WildFly Elytron
Issue Type: Bug
Reporter: Martin Choma
Assignee: Ilia Vassilev
Priority: Critical
Coverity found possible resource leak. On 2 places there is created
ServerAuthenticationContext in SecurityIdentity but is not closed.
{code}
public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize)
throws SecurityException {
Assert.checkNotNullParam("principal", principal);
// rewrite principal
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(SET_RUN_AS_PERMISSION);
}
final ServerAuthenticationContext context =
securityDomain.createNewAuthenticationContext(this,
MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
try {
if (! (context.importIdentity(this) && context.authorize(principal,
authorize))) {
throw log.runAsAuthorizationFailed(this.principal, principal, null);
}
} catch (RealmUnavailableException e) {
throw log.runAsAuthorizationFailed(this.principal,
context.getAuthenticationPrincipal(), e);
}
return context.getAuthorizedIdentity();
}
public SecurityIdentity createRunAsAnonymous(boolean authorize) throws
SecurityException {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(SET_RUN_AS_PERMISSION);
}
final ServerAuthenticationContext context =
securityDomain.createNewAuthenticationContext(this,
MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
if (! context.authorizeAnonymous(authorize)) {
throw log.runAsAuthorizationFailed(principal,
AnonymousPrincipal.getInstance(), null);
}
return context.getAuthorizedIdentity();
}
{code}
In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in
try-with-resource
{code}
try (final ServerAuthenticationContext authenticationContext =
securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
{code}
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525...