[jboss-jira] [JBoss JIRA] (ELY-1237) Coverity, Resource leak in SecurityIdentity (Elytron)

Martin Choma (JIRA) issues at jboss.org
Fri Jun 9 02:12:00 EDT 2017 

Martin Choma created ELY-1237:
---------------------------------

             Summary: Coverity, Resource leak in SecurityIdentity (Elytron)
                 Key: ELY-1237
                 URL: https://issues.jboss.org/browse/ELY-1237
             Project: WildFly Elytron
          Issue Type: Bug
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Critical


Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.


{code}
    public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException {
        Assert.checkNotNullParam("principal", principal);
        // rewrite principal
        final SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(SET_RUN_AS_PERMISSION);
        }

        final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
        try {
            if (! (context.importIdentity(this) && context.authorize(principal, authorize))) {
                throw log.runAsAuthorizationFailed(this.principal, principal, null);
            }
        } catch (RealmUnavailableException e) {
            throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e);
        }
        return context.getAuthorizedIdentity();
    }

    public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException {
        final SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            sm.checkPermission(SET_RUN_AS_PERMISSION);
        }

        final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
        if (! context.authorizeAnonymous(authorize)) {
            throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null);
        }
        return context.getAuthorizedIdentity();
    }
{code}

In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource

{code}
try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
{code}

https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525060&defectInstanceId=5116909&mergedDefectId=1440894&fileStart=376&fileEnd=625



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list