[
https://issues.apache.org/jira/browse/JCR-4033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nicolas FILOTTO updated JCR-4033:
---------------------------------
Attachment: JCR-4033.patch
Please find a patch proposal that initializes the field openStackTrace only at
the end of the constructor, this way in the finalizer we know that if it is not
null, it means that the session was fully created. Optionally I check the log
level to know whether or not it is needed to initializes openStackTrace as
creating a exception is costly
> Session Leak in case of an exception inside the constructor of SessionImpl
> --------------------------------------------------------------------------
>
> Key: JCR-4033
> URL: https://issues.apache.org/jira/browse/JCR-4033
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core
> Affects Versions: 2.13.1
> Reporter: Nicolas FILOTTO
> Attachments: JCR-4033.patch
>
>
> If an exception occurs inside the constructor of SessionImpl, the session is
> then partially created but it is still considered as alive and a live session
> that is about to be GCed is considered as a session leak by the current code
> such that we get a warning of type
> {code}
> WARN o.a.jackrabbit.core.SessionImpl - Unclosed session detected. The
> session was opened here:
> java.lang.Exception: Stack Trace
> at org.apache.jackrabbit.core.SessionImpl.<init>(SessionImpl.java:222)
> at org.apache.jackrabbit.core.SessionImpl.<init>(SessionImpl.java:239)
> at org.apache.jackrabbit.core.XASessionImpl.<init>(XASessionImpl.java:101)
> at
> org.apache.jackrabbit.core.RepositoryImpl.createSessionInstance(RepositoryImpl.java:1613)
> at
> org.apache.jackrabbit.core.RepositoryImpl.createSession(RepositoryImpl.java:956)
> at
> org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1501)
> at
> org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:144)
> at ttt.createSession(RepositoryManager.java:132)
> {code}
> One concrete use case is an attempt to login with correct credentials but
> without enough rights to access to a given workspace, we then get a
> Workspace access denied which occurs in the constructor of SessionImpl so we
> finally get the warning indicating that we have a session leak which should
> not be the case here.
> The code to reproduce:
> {code:java}
> Session session = repository.login(creds); //here are creds for user without
> permissions, just for testing
> {code}
> The stack trace:
> {code}
> Caused by: javax.jcr.LoginException: Workspace access denied
> at
> org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1529)
> at
> org.apache.jackrabbit.commons.AbstractRepository.login(AbstractRepository.java:144)
> at ttt.createSession(RepositoryManager.java:132)
> ... 51 common frames omitted
> Caused by: javax.jcr.AccessDeniedException: Not allowed to access Workspace
> default
> at
> org.apache.jackrabbit.core.security.DefaultAccessManager.init(DefaultAccessManager.java:159)
> at
> org.apache.jackrabbit.core.DefaultSecurityManager.getAccessManager(DefaultSecurityManager.java:280)
> at
> org.apache.jackrabbit.core.SessionImpl.createAccessManager(SessionImpl.java:356)
> at org.apache.jackrabbit.core.SessionImpl.<init>(SessionImpl.java:273)
> at org.apache.jackrabbit.core.SessionImpl.<init>(SessionImpl.java:239)
> at org.apache.jackrabbit.core.XASessionImpl.<init>(XASessionImpl.java:101)
> at
> org.apache.jackrabbit.core.RepositoryImpl.createSessionInstance(RepositoryImpl.java:1613)
> at
> org.apache.jackrabbit.core.RepositoryImpl.createSession(RepositoryImpl.java:956)
> at
> org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1501)
> {code}
> More details in this post
> http://stackoverflow.com/questions/39163571/jackrabbit-unclosed-session-detected-on-accessdeniedexception-but-session-is-nul
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
