[jira] [Commented] (HTTPCLIENT-1938) OS resources leak in HttpAuthenticator/WindowsNegotiateScheme

Sun, 05 Aug 2018 13:49:46 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569577#comment-16569577
 ] 

Michael Osipov commented on HTTPCLIENT-1938:
--------------------------------------------

This is basically a duplicate/subissue of HTTPCLIENT-1625. Both implementations 
JGSS and SSPI are broken in HttpClient because the implementor did not know 
what he was doing (completing the sercurity loop). I do not recommend using it 
in a production environment.

There is a lot of FUD in the internet. Unfortunately, I haven't yet found the 
time to make things right. This might change soon because I will start using it 
in a project. You might want to search for my other comments.

> OS resources leak in HttpAuthenticator/WindowsNegotiateScheme
> -------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1938
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1938
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (Windows)
>    Affects Versions: 4.5.3
>            Reporter: Marcin Krystianc
>            Priority: Major
>              Labels: Authentication, leak, negotiate
>
> I've discovered a resource leak in Http authentication process on Windows, 
> when Negotiate method is used.  It manifests itself as a slow memory leak in 
> {{lsass.exe}} process. Every time a Negotiate authentication is performed a 
> handle to  client credentials and a handle to security context are leaked. 
> The direct reason for it is that {{dispose()}} method from 
> {{WindowsNegotiateScheme}} class is never called. 
> As far I understand the interaction between {{HttpAuthenticator}} and 
> {{WindowsNegotiateScheme}}, it is caused by {{HttpAuthenticator}} not 
> processing final authentication header, as it goes directly to the 
> {{SUCCESS}} state. Without processing final authentication header, 
> {{WindowsNegotiateScheme}} class doesn't have a chance to complete security 
> context initialisation. which is the cause for not releasing OS resources.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to