This is an automated email from the ASF dual-hosted git repository.

reta pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit f8b017abe6c6b584753c36ab47aff3b9e8d56e49
Author: Guillaume Nodet <[email protected]>
AuthorDate: Thu May 7 11:41:36 2026 +0200

    Fix OAuth2 test flakiness caused by Response and WebClient resource leaks 
(#2969)
    
    Close Response objects in OAuth2TestUtils.getLocation() methods using
    try-finally blocks to prevent connection pool exhaustion under CI load.
    Close WebClient instances in AuthorizationGrantTest and PublicClientTest
    after use to release HTTP connections.
    
    Co-authored-by: Claude Opus 4.6 <[email protected]>
    (cherry picked from commit cf0a947751006797e0b003c83687352816736107)
---
 .../security/oauth2/common/OAuth2TestUtils.java    | 15 ++++++++---
 .../oauth2/grants/AuthorizationGrantTest.java      | 29 ++++++++++++++++++++--
 .../security/oauth2/grants/PublicClientTest.java   | 10 ++++++++
 3 files changed, 49 insertions(+), 5 deletions(-)

diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
index d040d856361..5f3eeb6867d 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/common/OAuth2TestUtils.java
@@ -125,8 +125,12 @@ public final class OAuth2TestUtils {
 
         client.path(parameters.getPath());
         Response response = client.get();
-
-        OAuthAuthorizationData authzData = 
response.readEntity(OAuthAuthorizationData.class);
+        OAuthAuthorizationData authzData;
+        try {
+            authzData = response.readEntity(OAuthAuthorizationData.class);
+        } finally {
+            response.close();
+        }
         return getLocation(client, authzData, parameters.getState());
     }
 
@@ -159,7 +163,12 @@ public final class OAuth2TestUtils {
         form.param("oauthDecision", "allow");
 
         Response response = client.post(form);
-        String location = response.getHeaderString("Location");
+        String location;
+        try {
+            location = response.getHeaderString("Location");
+        } finally {
+            response.close();
+        }
         if (state != null) {
             Assert.assertTrue(location.contains("state=" + state));
         }
diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
index f905424fa2b..f6ff9e3d1db 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/AuthorizationGrantTest.java
@@ -127,6 +127,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client);
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, "consumer-id", "this-is-a-secret", 
null);
@@ -134,6 +135,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken =
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -166,6 +168,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         String location = OAuth2TestUtils.getLocation(client, authzData, null);
         String code =  OAuth2TestUtils.getSubstring(location, "code");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, "consumer-id", "this-is-a-secret", 
null);
@@ -173,6 +176,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken =
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -191,6 +195,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client);
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
@@ -215,6 +220,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         accessToken = client.post(form, ClientAccessToken.class);
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -233,6 +239,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client, 
"read_balance");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
@@ -259,6 +266,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
         assertEquals("read_balance", accessToken.getApprovedScope());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -278,6 +286,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client, 
"read_balance");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, OAuth2TestUtils.setupProviders(),
@@ -303,6 +312,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
 //        assertEquals("read_balance", accessToken.getApprovedScope());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -321,6 +331,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client, 
"read_balance");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, "consumer-id", "this-is-a-secret", 
null);
@@ -328,6 +339,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken =
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
     }
 
     @org.junit.Test
@@ -344,6 +356,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         String code = OAuth2TestUtils.getAuthorizationCode(client, 
"read_balance", "consumer-id",
                                                            null, state);
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, "consumer-id", "this-is-a-secret", 
null);
@@ -351,6 +364,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken =
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
     }
 
     @org.junit.Test
@@ -365,6 +379,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         // Get Authorization Code
         String code = OAuth2TestUtils.getAuthorizationCode(client, null, 
"consumer-id-aud");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(address, "consumer-id-aud", 
"this-is-a-secret", null);
@@ -384,6 +399,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code,
                                                                 
"consumer-id-aud", audience);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
     }
 
     @org.junit.Test
@@ -415,10 +431,15 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         form.param("oauthDecision", "allow");
 
         Response response = client.post(form);
-
-        String location = response.getHeaderString("Location");
+        String location;
+        try {
+            location = response.getHeaderString("Location");
+        } finally {
+            response.close();
+        }
         String accessToken = OAuth2TestUtils.getSubstring(location, 
"access_token");
         assertNotNull(accessToken);
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken);
@@ -443,6 +464,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken = client.post(form, 
ClientAccessToken.class);
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -465,6 +487,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken = client.post(form, 
ClientAccessToken.class);
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -492,6 +515,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken = client.post(form, 
ClientAccessToken.class);
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
@@ -520,6 +544,7 @@ public class AuthorizationGrantTest extends 
AbstractBusClientServerTestBase {
         ClientAccessToken accessToken = client.post(form, 
ClientAccessToken.class);
         assertNotNull(accessToken.getTokenKey());
         assertNotNull(accessToken.getRefreshToken());
+        client.close();
 
         if (isAccessTokenInJWTFormat()) {
             validateAccessToken(accessToken.getTokenKey());
diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
index b65ef72e259..68693acb74c 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/oauth2/grants/PublicClientTest.java
@@ -111,6 +111,8 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
             fail("Failure expected on a missing (registered) redirectURI");
         } catch (Exception ex) {
             // expected
+        } finally {
+            client.close();
         }
     }
 
@@ -166,12 +168,14 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
         String location = OAuth2TestUtils.getLocation(client, parameters);
         String code = OAuth2TestUtils.getSubstring(location, "code");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(tokenServiceAddress, busFile.toString());
         ClientAccessToken accessToken =
             OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code, 
"consumer-id", null, codeVerifier);
         assertNotNull(accessToken.getTokenKey());
+        client.close();
     }
 
     private void testPKCEMissingVerifier(CodeVerifierTransformer transformer) {
@@ -196,6 +200,7 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
         String location = OAuth2TestUtils.getLocation(client, parameters);
         String code = OAuth2TestUtils.getSubstring(location, "code");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(tokenServiceAddress, busFile.toString());
@@ -204,6 +209,8 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
             fail("Failure expected on a missing verifier");
         } catch (OAuthServiceException ex) {
             assertFalse(ex.getError().getError().isEmpty());
+        } finally {
+            client.close();
         }
     }
 
@@ -229,6 +236,7 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
         String location = OAuth2TestUtils.getLocation(client, parameters);
         String code = OAuth2TestUtils.getSubstring(location, "code");
         assertNotNull(code);
+        client.close();
 
         // Now get the access token
         client = WebClient.create(tokenServiceAddress, busFile.toString());
@@ -239,6 +247,8 @@ public class PublicClientTest extends 
AbstractClientServerTestBase {
             fail("Failure expected on a different verifier");
         } catch (OAuthServiceException ex) {
             assertFalse(ex.getError().getError().isEmpty());
+        } finally {
+            client.close();
         }
     }
 

Reply via email to