-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.DR19
-
None
Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.
SecurityIdentity.java
public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException { Assert.checkNotNullParam("principal", principal); // rewrite principal final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY)); try { if (! (context.importIdentity(this) && context.authorize(principal, authorize))) { throw log.runAsAuthorizationFailed(this.principal, principal, null); } } catch (RealmUnavailableException e) { throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e); } return context.getAuthorizedIdentity(); } public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY)); if (! context.authorizeAnonymous(authorize)) { throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null); } return context.getAuthorizedIdentity(); }
In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource
SecurityDomainTrustManager.java
try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
- is cloned by
-
-
- Resolved
-
- is incorporated by
-
JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3
-
- Closed
-