This is an automated email from the ASF dual-hosted git repository. reta pushed a commit to branch 3.6.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit f8b017abe6c6b584753c36ab47aff3b9e8d56e49 Author: Guillaume Nodet <[email protected]> AuthorDate: Thu May 7 11:41:36 2026 +0200 Fix OAuth2 test flakiness caused by Response and WebClient resource leaks (#2969) Close Response objects in OAuth2TestUtils.getLocation() methods using try-finally blocks to prevent connection pool exhaustion under CI load. Close WebClient instances in AuthorizationGrantTest and PublicClientTest after use to release HTTP connections. Co-authored-by: Claude Opus 4.6 <[email protected]> (cherry picked from commit cf0a947751006797e0b003c83687352816736107) --- .../security/oauth2/common/OAuth2TestUtils.java | 15 ++++++++--- .../oauth2/grants/AuthorizationGrantTest.java | 29 ++++++++++++++++++++-- .../security/oauth2/grants/PublicClientTest.java | 10 ++++++++ 3 files changed, 49 insertions(+), 5 deletions(-) diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java index d040d856361..5f3eeb6867d 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java @@ -125,8 +125,12 @@ public final class OAuth2TestUtils { client.path(parameters.getPath()); Response response = client.get(); - - OAuthAuthorizationData authzData = response.readEntity(OAuthAuthorizationData.class); + OAuthAuthorizationData authzData; + try { + authzData = response.readEntity(OAuthAuthorizationData.class); + } finally { + response.close(); + } return getLocation(client, authzData, parameters.getState()); } @@ -159,7 +163,12 @@ public final class OAuth2TestUtils { form.param("oauthDecision", "allow"); Response response = client.post(form); - String location = response.getHeaderString("Location"); + String location; + try { + location = response.getHeaderString("Location"); + } finally { + response.close(); + } if (state != null) { Assert.assertTrue(location.contains("state=" + state)); } diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java index f905424fa2b..f6ff9e3d1db 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java @@ -127,6 +127,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); @@ -134,6 +135,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -166,6 +168,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { String location = OAuth2TestUtils.getLocation(client, authzData, null); String code = OAuth2TestUtils.getSubstring(location, "code"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); @@ -173,6 +176,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -191,6 +195,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), @@ -215,6 +220,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { accessToken = client.post(form, ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -233,6 +239,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), @@ -259,6 +266,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); assertEquals("read_balance", accessToken.getApprovedScope()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -278,6 +286,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, OAuth2TestUtils.setupProviders(), @@ -303,6 +312,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); // assertEquals("read_balance", accessToken.getApprovedScope()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -321,6 +331,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); @@ -328,6 +339,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); + client.close(); } @org.junit.Test @@ -344,6 +356,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { String code = OAuth2TestUtils.getAuthorizationCode(client, "read_balance", "consumer-id", null, state); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, "consumer-id", "this-is-a-secret", null); @@ -351,6 +364,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); + client.close(); } @org.junit.Test @@ -365,6 +379,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { // Get Authorization Code String code = OAuth2TestUtils.getAuthorizationCode(client, null, "consumer-id-aud"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(address, "consumer-id-aud", "this-is-a-secret", null); @@ -384,6 +399,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id-aud", audience); assertNotNull(accessToken.getTokenKey()); + client.close(); } @org.junit.Test @@ -415,10 +431,15 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { form.param("oauthDecision", "allow"); Response response = client.post(form); - - String location = response.getHeaderString("Location"); + String location; + try { + location = response.getHeaderString("Location"); + } finally { + response.close(); + } String accessToken = OAuth2TestUtils.getSubstring(location, "access_token"); assertNotNull(accessToken); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken); @@ -443,6 +464,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = client.post(form, ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -465,6 +487,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = client.post(form, ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -492,6 +515,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = client.post(form, ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); @@ -520,6 +544,7 @@ public class AuthorizationGrantTest extends AbstractBusClientServerTestBase { ClientAccessToken accessToken = client.post(form, ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); + client.close(); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java index b65ef72e259..68693acb74c 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java @@ -111,6 +111,8 @@ public class PublicClientTest extends AbstractClientServerTestBase { fail("Failure expected on a missing (registered) redirectURI"); } catch (Exception ex) { // expected + } finally { + client.close(); } } @@ -166,12 +168,14 @@ public class PublicClientTest extends AbstractClientServerTestBase { String location = OAuth2TestUtils.getLocation(client, parameters); String code = OAuth2TestUtils.getSubstring(location, "code"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(tokenServiceAddress, busFile.toString()); ClientAccessToken accessToken = OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, "consumer-id", null, codeVerifier); assertNotNull(accessToken.getTokenKey()); + client.close(); } private void testPKCEMissingVerifier(CodeVerifierTransformer transformer) { @@ -196,6 +200,7 @@ public class PublicClientTest extends AbstractClientServerTestBase { String location = OAuth2TestUtils.getLocation(client, parameters); String code = OAuth2TestUtils.getSubstring(location, "code"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(tokenServiceAddress, busFile.toString()); @@ -204,6 +209,8 @@ public class PublicClientTest extends AbstractClientServerTestBase { fail("Failure expected on a missing verifier"); } catch (OAuthServiceException ex) { assertFalse(ex.getError().getError().isEmpty()); + } finally { + client.close(); } } @@ -229,6 +236,7 @@ public class PublicClientTest extends AbstractClientServerTestBase { String location = OAuth2TestUtils.getLocation(client, parameters); String code = OAuth2TestUtils.getSubstring(location, "code"); assertNotNull(code); + client.close(); // Now get the access token client = WebClient.create(tokenServiceAddress, busFile.toString()); @@ -239,6 +247,8 @@ public class PublicClientTest extends AbstractClientServerTestBase { fail("Failure expected on a different verifier"); } catch (OAuthServiceException ex) { assertFalse(ex.getError().getError().isEmpty()); + } finally { + client.close(); } }
