[jira] [Commented] (GERONIMO-5800) logged-in Subjects are cleaned up after web requests complete

Tue, 21 Feb 2012 23:51:14 -0800 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-5800?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213428#comment-13213428
 ] 

David Jencks commented on GERONIMO-5800:
----------------------------------------

I think that if you deploy any web app that uses security, visit a secured web 
page (requiring you to log in), and examine ContextManager.subjectContexts you 
will see an entry.  There is no code anywhere to remove that entry.

IIRC there is a call into the jaspic authenticator when the request is about to 
return and we should try putting the code I suggested in that method or in the 
code that calls that method.  For jetty, the authenticators may not be actual 
jaspic authenticators but something similar more adapted to web apps.
                
> logged-in Subjects are cleaned up after web requests complete
> -------------------------------------------------------------
>
>                 Key: GERONIMO-5800
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-5800
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Jetty, Tomcat
>    Affects Versions: 2.2.1, 3.0
>            Reporter: David Jencks
>            Assignee: David Jencks
>
> We generally don't clean up the logged in Subject when a web request returns. 
>  This results in a memory leak in ContextManager.subjectContexts. As well as 
> geronimo changes I think this will need changes in the Jetty Authenticators 
> we use.  I think we control all the affected tomcat code.  Ejb requests 
> appear to already clean this up on exit.
> As an application-level workaround your app can call:
> Subject subject = ContextManager.getCurrentCaller();
> ContextManager.unregisterSubject(subject);
> immediately before control returns to the client.  (I haven't tested this to 
> make sure it doesn't break something else)
> Thanks to Morten Svanaes and David Frahm for reporting this problem on the 
> user list.  There may be a similar problem in 2.1.x but the code and solution 
> will be somewhat different.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to