ResourceResolver objects may remain unclosed after handleSecurity
-----------------------------------------------------------------
Key: SLING-1716
URL: https://issues.apache.org/jira/browse/SLING-1716
Project: Sling
Issue Type: Bug
Components: Authentication
Affects Versions: Auth Core 1.0.2
Reporter: Felix Meschberger
Assignee: Felix Meschberger
Fix For: Auth Core 1.0.4
The SlingAuthenticator.handleSecurity method extracts credentials from the
request (with the help of AuthenticationHandlers). Using these credentials, a
ResourceResolver is created, presumably for use during request processing.
After successfully creating the resource resolver
AuthenticationFeedbackHandler.authenticationSucceeded is called. This method
may redirect the request and return true to indicate the request should be
terminated. Likewise the DefaultFeedbackHandler can do the same.
If such a feedback handler decides to redirect the request after successfully
creating the ResourceResolver, false is returned from the handleSecurity method
to indicate to the OSGi HttpService to consider authentication failed and to
terminate the request.
In this situation, the ResourceResolver is not closed and will only eventually
be closed thanks to the finalize() method implemented.
This is not a good situation, though, and the handleSecurity method (or one of
the ResourceResolver factory methods in the SlingAuthenticator) should close
the ResourceResolver if the request should be terminated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
