[jboss-jira] [JBoss JIRA] Commented: (JBAS-7468) Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Wed Nov 18 10:25:30 EST 2009


    [ https://jira.jboss.org/jira/browse/JBAS-7468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12495313#action_12495313 ] 

Anil Saldhana commented on JBAS-7468:
-------------------------------------

Hey Ganesh,  thanks for the bug report. We will fix this asap.

> Memory leak in org.jboss.security.plugins.authorization.JBossAuthorizationContext
> ---------------------------------------------------------------------------------
>
>                 Key: JBAS-7468
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7468
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-5.0.0.GA, JBossAS-5.0.1.GA, JBossAS-5.1.0.GA
>         Environment: JBoss Version: jboss-5.1.0.GA, OS: Linux (2.6.18-164.el5), Architecture: amd64 64bit,  JVM: Java HotSpot(TM) 64-Bit Server VM (14.0-b16, mixed mode)
>            Reporter: Ganesh Ingle
>            Assignee: Anil Saldhana
>         Attachments: HeapMemoryOldGen.png, JBossAuthorizationContext.java, JBossAuthorizationContext_MemLeak.png
>
>
> Our use case (only security related portion is mentioned here):
> Axis 1.4 webservice, standard J2EE declarative security through WEB-INF/web.xml, a http client sends soap request and BASIC auth information, the JBoss server performs authentication and authorization as per WEB-INF/web.xml configuration.
> We did a performance/stability test on above web service. After 8.5 million requests the server gone out of memory. We did heap dump analysis using VisualVM tool and found that the class org.jboss.security.plugins.authorization.JBossAuthorizationContext is consuming most of the memory. This class has a memer array named "controlFlags", this array was showing 25.7 million ControlFlag entries.
> When we investigated the code we found that there is one instance of JBossAuthorizationManager per security domain and this manager has one instance of JBossAuthorizationContext. For every authorization the JBossAuthorizationContext initializes authorization modules and pushes their control flags (instances of class ControlFlag) in member arrays. When the authorization is complete, a commit/abort is invoked on all modules and finally the "modules" array is cleared. However, the "controlFlags" array is not cleared. We checked the entire class, this array never gets cleared.
> We changed the code to clear both "modules" and "controlFlags" array in a finally block in method JBossAuthorizationContext.authorize(final Resource resource, final Subject subject, final RoleGroup callerRoles). We ran a 50million test after this fix, the test was successful which proves the fix worked.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the jboss-jira mailing list