Uploaded image for project: 'PicketLink Federated Identity'
  1. PicketLink Federated Identity
  2. PLFED-257

Possible memory leak: tokens in DefaultTokenRegistry are not correctly cleared

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • PLFED_2.0.1.final
    • PLFED_2.0.2.final
    • SAML, STS
    • None

    Description

      Let's assume the simple usecase

      • Going user to http://localhost:8080/employee
      • Login at IP as tomcat/tomcat. Now assertion is created and new token is created by STS, which also means registratio of token in DefaultTokenRegistry.
      • User is redirected to http://localhost:8080/employee. Now he press logout
      • User is logged out, but STS token is not canceled at IP side.

      DefaultTokenRegistry is used by SAML20AssertionTokenProvider to create new token for each assertion issued by IP. And these tokens should be always cleared during logout of client or expiration of HTTP session. Right now, there is clearing (calling of canceling tokens at STS) implemented in SAML2LogOutHandler&IDPLogOutHandler.handleStatusResponseType but not in SAML2LogOutHandler&IDPLogOutHandler.handleRequestType. And expiration of HTTP session also don't clear it's tokens.

      I think that we can make HttpSessionListener to clear expired tokens after expiration of particular Http sessions.

      Issue 2: DefaultTokenRegistry from Picketlink STS is shared among all clients. So I think that it should use "ConcurrentHashMap" instead of "HashMap" to store tokens.

      Attachments

        Issue Links

          Activity

            People

              anil.saldhana Anil Saldanha (Inactive)
              mposolda@redhat.com Marek Posolda
              Archiver:
              samahaja@redhat.com Sagar Mahajan

              Dates

                Created:
                Updated:
                Resolved:
                Archived: