[ https://issues.apache.org/jira/browse/SLING-1716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Felix Meschberger resolved SLING-1716. -------------------------------------- Resolution: Fixed Fixed in Rev 991578. > ResourceResolver objects may remain unclosed after handleSecurity > ----------------------------------------------------------------- > > Key: SLING-1716 > URL: https://issues.apache.org/jira/browse/SLING-1716 > Project: Sling > Issue Type: Bug > Components: Authentication > Affects Versions: Auth Core 1.0.2 > Reporter: Felix Meschberger > Assignee: Felix Meschberger > Fix For: Auth Core 1.0.4 > > > The SlingAuthenticator.handleSecurity method extracts credentials from the > request (with the help of AuthenticationHandlers). Using these credentials, a > ResourceResolver is created, presumably for use during request processing. > After successfully creating the resource resolver > AuthenticationFeedbackHandler.authenticationSucceeded is called. This method > may redirect the request and return true to indicate the request should be > terminated. Likewise the DefaultFeedbackHandler can do the same. > If such a feedback handler decides to redirect the request after successfully > creating the ResourceResolver, false is returned from the handleSecurity > method to indicate to the OSGi HttpService to consider authentication failed > and to terminate the request. > In this situation, the ResourceResolver is not closed and will only > eventually be closed thanks to the finalize() method implemented. > This is not a good situation, though, and the handleSecurity method (or one > of the ResourceResolver factory methods in the SlingAuthenticator) should > close the ResourceResolver if the request should be terminated. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.