[security-dev] PicketLink 2.1.10 and 2.5.3.Beta2 issues

Hi Anil & Peter, I have several issues with PicketLink 2.1.10. I'm preparing STS client pool tests for EAP 5.3 and I would like to voice the following concerns here: 1) missing release numbers in the JIRA (https://issues.jboss.org/browse/PLINK2) 2) There is a regression (NPE) in JBWSTokenIssuingLoginModule - https://issues.jboss.org/browse/PLINK2-127 2 test cases from the picketlink-integration-tests hit this. Did your run of the testsuite before the release passed without any issues? 3) missing documentation of the new STSClient pool feature. Even the JavaDoc for methods is missing in STSClientPool and STSClientFactory classes. This documentation will be needed by our documentation team. 4) I would like to bring to your attention the following features of the implementation of the STS client pool: - STSClientFactory doesn't provide access to the pool used - user doesn't know he should return the STSClient instance to a pool. Should this be documented, so leaks can be avoided? - scaling is not possible - singleton is used in class STSClientPool - once the pool is created it is not possible to resize it during runtime (or create another one with different size) - I don't see a possibility how to clean-up the pool - e.g. when a thread which uses a client from pool dies 5) All the points above are also valid for PicketLink 2.5.3.Beta2, which is included in EAP 6.3.0.DR0 - https://bugzilla.redhat.com/show_bug.cgi?id=1064331 Anil, Peter, can you please comment on these? I've created an EAP 5.3 test plan for STS pool here - https://issues.jboss.org/browse/JBQA-8620 Don't hesitate to comment there, if you see invalid entries or if you are missing some more points. Thank you in advance, -- josef