[jboss-jira] [JBoss JIRA] Created: (JBAS-5300) ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache

Arto Huusko (JIRA) jira-events at lists.jboss.org
Mon Mar 10 05:02:58 EDT 2008 

ClassLoader leaks in TimedCachePolicy through JAAS Auth Cache
-------------------------------------------------------------

                 Key: JBAS-5300
                 URL: http://jira.jboss.com/jira/browse/JBAS-5300
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: ClassLoading
    Affects Versions: JBossAS-4.2.1.GA
         Environment: JDK 1.6.0_04
            Reporter: Arto Huusko
         Assigned To: Scott M Stark


JAAS authentication cache is responsible for two classloader leaks through org.jboss.utils.TimedCachePolicy, causing classes of undeployed applications not be unloaded. The second is not a huge problem, but still real, and is related to JBAS-3986.

First problem is the creation of resolutionTimer. If TimedCachePolicy is used for the first time when my web application is accessed, the resolutionTimer object is created in the context of the web app, and the timer thread attached to the timer inherits the current context class loader, that is my web app's class loader. This results in a permanent reference to that class loader, and it can never be unloaded.

The second problem is the fact that the expired entries are purged from the cache only when they are accessed. If some credentials are once used, and then never used again, they remain in the cache, and these cached LoginContexts contain references to the web app class loaders.

First problem is fixable by temporarily changing current thread context class loader when first creating the resolutionTimer.

The second problem could be fixed by JBoss automatically flushing the authentication cache when the web app is undeployed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list