Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3429

Classloader leak in JBossCachedAuthenticationManager

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 9.0.0.CR1
    • 8.1.0.Final
    • Security
    • None
    • Hide

      1. Add a user to the ApplicationRealm (linked with "other" security domain)

      ./add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g app-user

      2. start the AS

       ./standalone.sh

      3. deploy a web application with a secured servlet allowing access to role "app-user" (No security domain is referenced in the jboss-web.xml, so the default domain "other" is used.)

      ./jboss-cli -c "deploy /tmp/secured-webapp.war"

      4. open the servlet URL in the browser and login as a "user1" with password "password1!"
      5. redeploy the application

      ./jboss-cli -c "undeploy secured-webapp.war"
./jboss-cli -c "deploy /tmp/secured-webapp.war"

      => LEAK - the first deployment's ModuleClassLoader is not destroyed, because it's referenced through the LoginContext instance from the JBossCachedAuthenticationManager

      Show
      1. Add a user to the ApplicationRealm (linked with "other" security domain) ./add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g app-user 2. start the AS ./standalone.sh 3. deploy a web application with a secured servlet allowing access to role "app-user" (No security domain is referenced in the jboss-web.xml, so the default domain "other" is used.) ./jboss-cli -c "deploy /tmp/secured-webapp.war" 4. open the servlet URL in the browser and login as a "user1" with password "password1!" 5. redeploy the application ./jboss-cli -c "undeploy secured-webapp.war" ./jboss-cli -c "deploy /tmp/secured-webapp.war" => LEAK - the first deployment's ModuleClassLoader is not destroyed, because it's referenced through the LoginContext instance from the JBossCachedAuthenticationManager

      When using a security domain with cache-type="default", then the ModuleClassLoader instances related to deployments leak through JBossCachedAuthenticationManager.

      The problematic piece of code is the domainCache member variable which in the DomainInfo value holds a LoginContext instance. This LoginContext has member contextClassLoader which causes the leak. (It points to the ModuleClassLoader of the deployment).

      One option to solve this issue could be to remove the cache entries which are related to the undeployed application.

              ehugonne1@redhat.com Emmanuel Hugonnet
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: