[jboss-jira] [JBoss JIRA] (ELY-1237) Coverity, Resource leak in SecurityIdentity (Elytron)
David Lloyd (JIRA)
issues at jboss.org
Fri Jun 9 11:37:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1237?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419034#comment-13419034 ]
David Lloyd commented on ELY-1237:
----------------------------------
This is somewhat deceptive, because in this case AutoCloseable is a convenience interface. If success() or fail() are called, this also "closes" the context.
That said, using try-with-resources wherever possible and convenient is probably a good idea. The runAsIdentity cases definitely need to be fixed because they are not calling close() nor success() or fail().
> Coverity, Resource leak in SecurityIdentity (Elytron)
> -----------------------------------------------------
>
> Key: ELY-1237
> URL: https://issues.jboss.org/browse/ELY-1237
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
>
> Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.
> {code}
> public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException {
> Assert.checkNotNullParam("principal", principal);
> // rewrite principal
> final SecurityManager sm = System.getSecurityManager();
> if (sm != null) {
> sm.checkPermission(SET_RUN_AS_PERMISSION);
> }
> final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
> try {
> if (! (context.importIdentity(this) && context.authorize(principal, authorize))) {
> throw log.runAsAuthorizationFailed(this.principal, principal, null);
> }
> } catch (RealmUnavailableException e) {
> throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e);
> }
> return context.getAuthorizedIdentity();
> }
> public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException {
> final SecurityManager sm = System.getSecurityManager();
> if (sm != null) {
> sm.checkPermission(SET_RUN_AS_PERMISSION);
> }
> final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
> if (! context.authorizeAnonymous(authorize)) {
> throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null);
> }
> return context.getAuthorizedIdentity();
> }
> {code}
> In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource
> {code}
> try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
> {code}
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525060&defectInstanceId=5116909&mergedDefectId=1440894&fileStart=376&fileEnd=625
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list