[jboss-cvs] JBossAS SVN: r80205 - in branches/JBPAPP_4_2_0_GA_CP: security/src/main/org/jboss/security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Oct 29 13:37:22 EDT 2008
Author: mmoyses
Date: 2008-10-29 13:37:22 -0400 (Wed, 29 Oct 2008)
New Revision: 80205
Modified:
branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/AuthenticationInterceptor.java
branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/SecurityActions.java
branches/JBPAPP_4_2_0_GA_CP/security/src/main/org/jboss/security/SecurityAssociation.java
Log:
JBPAPP-1348: fixing SubjectContext memory leak
Modified: branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/AuthenticationInterceptor.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/AuthenticationInterceptor.java 2008-10-29 17:07:31 UTC (rev 80204)
+++ branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/AuthenticationInterceptor.java 2008-10-29 17:37:22 UTC (rev 80205)
@@ -85,7 +85,7 @@
if (authenticationManager == null || callerRunAsIdentity == null)
SecurityActions.popSubjectContext();
- if (invocation.getMetaData("security", "principal") != null)
+ if (invocation.getMetaData("security", "principal") != null && !SecurityActions.isServer())
{
SecurityActions.setPrincipal(null);
SecurityActions.setCredential(null);
Modified: branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/SecurityActions.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/SecurityActions.java 2008-10-29 17:07:31 UTC (rev 80204)
+++ branches/JBPAPP_4_2_0_GA_CP/aspects/src/main/org/jboss/aspects/security/SecurityActions.java 2008-10-29 17:37:22 UTC (rev 80205)
@@ -485,11 +485,11 @@
}
}
-
-
-
-
-
+ static boolean isServer()
+ {
+ return SecurityAssociation.isServer();
+ }
+
interface TCLAction
{
class UTIL
Modified: branches/JBPAPP_4_2_0_GA_CP/security/src/main/org/jboss/security/SecurityAssociation.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/security/src/main/org/jboss/security/SecurityAssociation.java 2008-10-29 17:07:31 UTC (rev 80204)
+++ branches/JBPAPP_4_2_0_GA_CP/security/src/main/org/jboss/security/SecurityAssociation.java 2008-10-29 17:37:22 UTC (rev 80205)
@@ -58,18 +58,22 @@
public final class SecurityAssociation
{
private static Logger log = Logger.getLogger(SecurityAssociation.class);
+
/**
* A flag indicating if trace level logging should be performed
*/
private static boolean trace;
+
/**
* A flag indicating if security information is global or thread local
*/
private static boolean server;
+
/**
* The SecurityAssociation principal used when the server flag is false
*/
private static Principal principal;
+
/**
* The SecurityAssociation credential used when the server flag is false
*/
@@ -79,10 +83,12 @@
* The SecurityAssociation principal used when the server flag is true
*/
private static ThreadLocal threadPrincipal;
+
/**
* The SecurityAssociation credential used when the server flag is true
*/
private static ThreadLocal threadCredential;
+
/**
* The SecurityAssociation HashMap<String, Object>
*/
@@ -93,10 +99,11 @@
* run-as identity propagation
*/
private static RunAsThreadLocalStack threadRunAsStacks;
+
/**
* Thread local stacks of authenticated subject used to control the current
* caller security context
- */
+ */
private static SubjectThreadLocalStack threadSubjectStacks;
/**
@@ -140,7 +147,7 @@
{
String flag = SecurityActions.getProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "false");
boolean useThreadLocal = Boolean.valueOf(flag).booleanValue();
- log.debug("Using ThreadLocal: "+useThreadLocal);
+ log.debug("Using ThreadLocal: " + useThreadLocal);
trace = log.isTraceEnabled();
if (useThreadLocal)
@@ -181,14 +188,13 @@
sm.checkPermission(getPrincipalInfoPermission);
Principal thePrincipal = principal;
-
-
+
if (server)
thePrincipal = (Principal) threadPrincipal.get();
-
- if( trace )
- log.trace("getPrincipal, principal="+thePrincipal);
-
+
+ if (trace)
+ log.trace("getPrincipal, principal=" + thePrincipal);
+
return thePrincipal;
}
@@ -208,15 +214,15 @@
sm.checkPermission(getPrincipalInfoPermission);
Principal thePrincipal = peekRunAsIdentity(1);
- if( thePrincipal == null )
+ if (thePrincipal == null)
{
if (server)
thePrincipal = (Principal) threadPrincipal.get();
else
thePrincipal = principal;
}
- if( trace )
- log.trace("getCallerPrincipal, principal="+thePrincipal);
+ if (trace)
+ log.trace("getCallerPrincipal, principal=" + thePrincipal);
return thePrincipal;
}
@@ -260,10 +266,10 @@
sm.checkPermission(getSubjectPermission);
SubjectContext sc = threadSubjectStacks.peek();
- if( trace )
- log.trace("getSubject, sc="+sc);
+ if (trace)
+ log.trace("getSubject, sc=" + sc);
Subject subject = null;
- if( sc != null )
+ if (sc != null)
subject = sc.getSubject();
return subject;
}
@@ -292,21 +298,21 @@
SecurityAssociation.principal = principal;
// Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
+ if (sc == null)
{
// There is no active security context
sc = new SubjectContext();
threadSubjectStacks.push(sc);
}
- else if( (sc.getFlags() & SubjectContext.PRINCIPAL_WAS_SET) != 0 )
+ else if ((sc.getFlags() & SubjectContext.PRINCIPAL_WAS_SET) != 0)
{
// The current security context has its principal set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setPrincipal(principal);
if (trace)
- log.trace("setPrincipal, sc="+sc);
+ log.trace("setPrincipal, sc=" + sc);
}
/**
@@ -332,21 +338,21 @@
SecurityAssociation.credential = credential;
// Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
+ if (sc == null)
{
// There is no active security context
sc = new SubjectContext();
threadSubjectStacks.push(sc);
}
- else if( (sc.getFlags() & SubjectContext.CREDENTIAL_WAS_SET) != 0 )
+ else if ((sc.getFlags() & SubjectContext.CREDENTIAL_WAS_SET) != 0)
{
// The current security context has its principal set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setCredential(credential);
if (trace)
- log.trace("setCredential, sc="+sc);
+ log.trace("setCredential, sc=" + sc);
}
/**
@@ -367,21 +373,21 @@
log.trace("setSubject, s=" + subject + ", server=" + server);
// Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
+ if (sc == null)
{
// There is no active security context
sc = new SubjectContext();
threadSubjectStacks.push(sc);
}
- else if( (sc.getFlags() & SubjectContext.SUBJECT_WAS_SET) != 0 )
+ else if ((sc.getFlags() & SubjectContext.SUBJECT_WAS_SET) != 0)
{
// The current security context has its subject set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setSubject(subject);
if (trace)
- log.trace("setSubject, sc="+sc);
+ log.trace("setSubject, sc=" + sc);
}
/**
@@ -434,7 +440,7 @@
* @param subject - the authenticated subject
* @param principal - the principal that was input into the authentication
* @param credential - the credential that was input into the authentication
- */
+ */
public static void pushSubjectContext(Subject subject,
Principal principal, Object credential)
{
@@ -457,8 +463,9 @@
SubjectContext sc = new SubjectContext(subject, principal, credential);
threadSubjectStacks.push(sc);
if (trace)
- log.trace("pushSubjectContext, subject=" + subject + ", sc="+sc);
+ log.trace("pushSubjectContext, subject=" + subject + ", sc=" + sc);
}
+
/**
* Push a duplicate of the current SubjectContext if one exists.
* When run under a security manager this requires the
@@ -473,7 +480,7 @@
SubjectContext sc = threadSubjectStacks.dup();
if (trace)
- log.trace("dupSubjectContext, sc="+sc);
+ log.trace("dupSubjectContext, sc=" + sc);
}
/**
@@ -483,7 +490,7 @@
* RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
* permission.
* @return the SubjectContext pushed previously by a pushSubjectContext call
- */
+ */
public static SubjectContext popSubjectContext()
{
SecurityManager sm = System.getSecurityManager();
@@ -493,20 +500,20 @@
SubjectContext sc = threadSubjectStacks.pop();
if (trace)
{
- log.trace("popSubjectContext, sc="+sc);
+ log.trace("popSubjectContext, sc=" + sc);
}
-
+
Principal principal = null;
Object credential = null;
-
+
SubjectContext top = threadSubjectStacks.peek();
-
+
if (top != null)
{
principal = top.getPrincipal();
credential = top.getCredential();
}
-
+
if (server)
{
threadPrincipal.set(principal);
@@ -517,10 +524,10 @@
SecurityAssociation.principal = principal;
SecurityAssociation.credential = credential;
}
-
+
return sc;
}
-
+
/**
* Look at the current thread of control's authenticated identity on the top
* of the stack.
@@ -577,7 +584,7 @@
sm.checkPermission(setRunAsIdentity);
if (trace)
log.trace("pushRunAsIdentity, runAs=" + runAs);
-
+
threadRunAsStacks.push(runAs);
}
@@ -638,6 +645,11 @@
server = true;
}
+
+ public static boolean isServer()
+ {
+ return server;
+ }
/**
* A subclass of ThreadLocal that implements a value stack using an ArrayList
@@ -650,12 +662,12 @@
RunAsThreadLocalStack(boolean threadLocal)
{
- if( threadLocal == true )
+ if (threadLocal == true)
local = new ArrayListLocal();
else
local = new ArrayListInheritableLocal();
}
-
+
int size()
{
ArrayList stack = (ArrayList) local.get();
@@ -691,9 +703,9 @@
do
{
int index = stackSize - 1 - depth;
- if( index >= 0 )
+ if (index >= 0)
runAs = (RunAsIdentity) stack.get(index);
- depth ++;
+ depth++;
}
while (runAs == null && depth <= stackSize - 1);
return runAs;
@@ -702,22 +714,28 @@
/**
* The encapsulation of the authenticated subject
- */
+ */
public static class SubjectContext
{
public static final int SUBJECT_WAS_SET = 1;
+
public static final int PRINCIPAL_WAS_SET = 2;
+
public static final int CREDENTIAL_WAS_SET = 4;
private Subject subject;
+
private Principal principal;
+
private Object credential;
+
private int flags;
public SubjectContext()
{
this.flags = 0;
}
+
public SubjectContext(Subject s, Principal p, Object cred)
{
this.subject = s;
@@ -730,6 +748,7 @@
{
return subject;
}
+
public void setSubject(Subject subject)
{
this.subject = subject;
@@ -740,6 +759,7 @@
{
return principal;
}
+
public void setPrincipal(Principal principal)
{
this.principal = principal;
@@ -750,6 +770,7 @@
{
return credential;
}
+
public void setCredential(Object credential)
{
this.credential = credential;
@@ -767,7 +788,7 @@
tmp.append("{principal=");
tmp.append(principal);
tmp.append(",subject=");
- if( subject != null )
+ if (subject != null)
tmp.append(System.identityHashCode(subject));
else
tmp.append("null");
@@ -782,12 +803,12 @@
SubjectThreadLocalStack(boolean threadLocal)
{
- if( threadLocal == true )
+ if (threadLocal == true)
local = new ArrayListLocal();
else
local = new ArrayListInheritableLocal();
}
-
+
int size()
{
ArrayList stack = (ArrayList) local.get();
@@ -837,9 +858,10 @@
context = (SubjectContext) stack.get(lastIndex);
return context;
}
+
/**
* Remove all SubjectContext from the current thread stack
- */
+ */
void clear()
{
ArrayList stack = (ArrayList) local.get();
@@ -853,7 +875,7 @@
{
return new ArrayList();
}
-
+
}
private static class ArrayListInheritableLocal extends InheritableThreadLocal
@@ -875,7 +897,7 @@
{
copy = new ArrayList(list);
}
- catch(Throwable t)
+ catch (Throwable t)
{
log.debug("Failed to copy parent list, using new list");
copy = new ArrayList();
@@ -887,8 +909,9 @@
{
return new ArrayList();
}
-
+
}
+
private static class HashMapInheritableLocal extends InheritableThreadLocal
{
/**
@@ -908,7 +931,7 @@
{
copy = new HashMap(map);
}
- catch(Throwable t)
+ catch (Throwable t)
{
log.debug("Failed to copy parent map, using new map");
copy = new HashMap();
@@ -920,6 +943,6 @@
{
return new HashMap();
}
-
+
}
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list