[
https://issues.apache.org/jira/browse/HTTPCLIENT-1938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569577#comment-16569577
]
Michael Osipov edited comment on HTTPCLIENT-1938 at 8/5/18 8:49 PM:
--------------------------------------------------------------------
This is basically a duplicate/subissue of HTTPCLIENT-1625. Both implementations
JGSS and SSPI are broken in HttpClient because the implementor did not know
what he was doing (completing the sercurity loop). The HttpClient internal code
has to support the loop completion first and this is at most possible in
HttpClient 5.0. I do not recommend using it in a production environment.
There is a lot of FUD in the internet. Unfortunately, I haven't yet found the
time to make things right. This might change soon because I will start using it
in a project. You might want to search for my other comments.
was (Author: michael-o):
This is basically a duplicate/subissue of HTTPCLIENT-1625. Both implementations
JGSS and SSPI are broken in HttpClient because the implementor did not know
what he was doing (completing the sercurity loop). I do not recommend using it
in a production environment.
There is a lot of FUD in the internet. Unfortunately, I haven't yet found the
time to make things right. This might change soon because I will start using it
in a project. You might want to search for my other comments.
> OS resources leak in HttpAuthenticator/WindowsNegotiateScheme
> -------------------------------------------------------------
>
> Key: HTTPCLIENT-1938
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1938
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (Windows)
> Affects Versions: 4.5.3
> Reporter: Marcin Krystianc
> Priority: Major
> Labels: Authentication, leak, negotiate
>
> I've discovered a resource leak in Http authentication process on Windows,
> when Negotiate method is used. It manifests itself as a slow memory leak in
> {{lsass.exe}} process. Every time a Negotiate authentication is performed a
> handle to client credentials and a handle to security context are leaked.
> The direct reason for it is that {{dispose()}} method from
> {{WindowsNegotiateScheme}} class is never called.
> As far I understand the interaction between {{HttpAuthenticator}} and
> {{WindowsNegotiateScheme}}, it is caused by {{HttpAuthenticator}} not
> processing final authentication header, as it goes directly to the
> {{SUCCESS}} state. Without processing final authentication header,
> {{WindowsNegotiateScheme}} class doesn't have a chance to complete security
> context initialisation. which is the cause for not releasing OS resources.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
