[
https://issues.apache.org/jira/browse/SLING-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Meschberger resolved SLING-1716.
--------------------------------------
Resolution: Fixed
Fixed in Rev 991578.
> ResourceResolver objects may remain unclosed after handleSecurity
> -----------------------------------------------------------------
>
> Key: SLING-1716
> URL: https://issues.apache.org/jira/browse/SLING-1716
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Auth Core 1.0.2
> Reporter: Felix Meschberger
> Assignee: Felix Meschberger
> Fix For: Auth Core 1.0.4
>
>
> The SlingAuthenticator.handleSecurity method extracts credentials from the
> request (with the help of AuthenticationHandlers). Using these credentials, a
> ResourceResolver is created, presumably for use during request processing.
> After successfully creating the resource resolver
> AuthenticationFeedbackHandler.authenticationSucceeded is called. This method
> may redirect the request and return true to indicate the request should be
> terminated. Likewise the DefaultFeedbackHandler can do the same.
> If such a feedback handler decides to redirect the request after successfully
> creating the ResourceResolver, false is returned from the handleSecurity
> method to indicate to the OSGi HttpService to consider authentication failed
> and to terminate the request.
> In this situation, the ResourceResolver is not closed and will only
> eventually be closed thanks to the finalize() method implemented.
> This is not a good situation, though, and the handleSecurity method (or one
> of the ResourceResolver factory methods in the SlingAuthenticator) should
> close the ResourceResolver if the request should be terminated.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
