[jboss-jira] [JBoss JIRA] (ELY-1237) Coverity, Resource leak in SecurityIdentity (Elytron)

Ilia Vassilev (JIRA) issues at jboss.org
Fri Jun 9 02:13:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ilia Vassilev reassigned ELY-1237:
----------------------------------

    Assignee: Ilia Vassilev  (was: Darran Lofthouse)


> Coverity, Resource leak in SecurityIdentity (Elytron)
> -----------------------------------------------------
>
>                 Key: ELY-1237
>                 URL: https://issues.jboss.org/browse/ELY-1237
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Martin Choma
>            Assignee: Ilia Vassilev
>            Priority: Critical
>
> Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.
> {code}
>     public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException {
>         Assert.checkNotNullParam("principal", principal);
>         // rewrite principal
>         final SecurityManager sm = System.getSecurityManager();
>         if (sm != null) {
>             sm.checkPermission(SET_RUN_AS_PERMISSION);
>         }
>         final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
>         try {
>             if (! (context.importIdentity(this) && context.authorize(principal, authorize))) {
>                 throw log.runAsAuthorizationFailed(this.principal, principal, null);
>             }
>         } catch (RealmUnavailableException e) {
>             throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e);
>         }
>         return context.getAuthorizedIdentity();
>     }
>     public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException {
>         final SecurityManager sm = System.getSecurityManager();
>         if (sm != null) {
>             sm.checkPermission(SET_RUN_AS_PERMISSION);
>         }
>         final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
>         if (! context.authorizeAnonymous(authorize)) {
>             throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null);
>         }
>         return context.getAuthorizedIdentity();
>     }
> {code}
> In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource
> {code}
> try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
> {code}
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525060&defectInstanceId=5116909&mergedDefectId=1440894&fileStart=376&fileEnd=625



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list