Despite the fact ServerAuthenticationContext is AutoClosable. Newly created instance in HttpAuthenticator#login() is not closed and no reference is passed outside of method, so is left unclosed forever.

[1] https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=46513446&defectInstanceId=9767772&mergedDefectId=1464362