geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (Commented) (JIRA)" <>
Subject [jira] [Commented] (GERONIMO-5800) logged-in Subjects are cleaned up after web requests complete
Date Wed, 22 Feb 2012 07:50:51 GMT


David Jencks commented on GERONIMO-5800:

I think that if you deploy any web app that uses security, visit a secured web page (requiring
you to log in), and examine ContextManager.subjectContexts you will see an entry.  There is
no code anywhere to remove that entry.

IIRC there is a call into the jaspic authenticator when the request is about to return and
we should try putting the code I suggested in that method or in the code that calls that method.
 For jetty, the authenticators may not be actual jaspic authenticators but something similar
more adapted to web apps.
> logged-in Subjects are cleaned up after web requests complete
> -------------------------------------------------------------
>                 Key: GERONIMO-5800
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Jetty, Tomcat
>    Affects Versions: 2.2.1, 3.0
>            Reporter: David Jencks
>            Assignee: David Jencks
> We generally don't clean up the logged in Subject when a web request returns.  This results
in a memory leak in ContextManager.subjectContexts. As well as geronimo changes I think this
will need changes in the Jetty Authenticators we use.  I think we control all the affected
tomcat code.  Ejb requests appear to already clean this up on exit.
> As an application-level workaround your app can call:
> Subject subject = ContextManager.getCurrentCaller();
> ContextManager.unregisterSubject(subject);
> immediately before control returns to the client.  (I haven't tested this to make sure
it doesn't break something else)
> Thanks to Morten Svanaes and David Frahm for reporting this problem on the user list.
 There may be a similar problem in 2.1.x but the code and solution will be somewhat different.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message