geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GERONIMO-5800) logged-in Subjects are cleaned up after web requests complete
Date Wed, 22 Feb 2012 07:50:51 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-5800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213428#comment-13213428
] 

David Jencks commented on GERONIMO-5800:
----------------------------------------

I think that if you deploy any web app that uses security, visit a secured web page (requiring
you to log in), and examine ContextManager.subjectContexts you will see an entry.  There is
no code anywhere to remove that entry.

IIRC there is a call into the jaspic authenticator when the request is about to return and
we should try putting the code I suggested in that method or in the code that calls that method.
 For jetty, the authenticators may not be actual jaspic authenticators but something similar
more adapted to web apps.
                
> logged-in Subjects are cleaned up after web requests complete
> -------------------------------------------------------------
>
>                 Key: GERONIMO-5800
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5800
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Jetty, Tomcat
>    Affects Versions: 2.2.1, 3.0
>            Reporter: David Jencks
>            Assignee: David Jencks
>
> We generally don't clean up the logged in Subject when a web request returns.  This results
in a memory leak in ContextManager.subjectContexts. As well as geronimo changes I think this
will need changes in the Jetty Authenticators we use.  I think we control all the affected
tomcat code.  Ejb requests appear to already clean this up on exit.
> As an application-level workaround your app can call:
> Subject subject = ContextManager.getCurrentCaller();
> ContextManager.unregisterSubject(subject);
> immediately before control returns to the client.  (I haven't tested this to make sure
it doesn't break something else)
> Thanks to Morten Svanaes and David Frahm for reporting this problem on the user list.
 There may be a similar problem in 2.1.x but the code and solution will be somewhat different.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message