Bug 1103735

Summary: Classloader leak in JBossCachedAuthenticationManager
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: SecurityAssignee: Emmanuel Hugonnet (ehsavoie) <ehugonne>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: asaji, bdawidow, ehugonne, kkhan, ochaloup, okotek
Target Milestone: DR7   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: ShouldBeFixed
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1139561    
Attachments:
Description Flags
secured-webapp.war
none
Screenshot - Eclipse MAT none

Description Josef Cacek 2014-06-02 12:39:23 UTC 
When using a security domain with cache-type="default" then the ModuleClassLoader instances related to deployments leak through JBossCachedAuthenticationManager.

The problematic piece of code is the domainCache member variable which in the DomainInfo value holds a LoginContext instance. This LoginContext has member contextClassLoader which causes the leak. (It points to the ModuleClassLoader of the deployment).

One option to solve this issue could be to remove the cache entries which are related to the undeployed application.

Steps to reproduce:

1) Add a user to the ApplicationRealm (linked with "other" security domain)
./add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g app-user

2) start the AS
./standalone.sh

2) deploy a web application with a secured servlet allowing access to role "app-user" (No security domain is referenced in the jboss-web.xml, so the default domain "other" is used.)
./jboss-cli -c "deploy /tmp/secured-webapp.war"

3) open the servlet URL in the browser and login as a "user1" with password "password1!"

4) redeploy the application
./jboss-cli -c "undeploy secured-webapp.war"
./jboss-cli -c "deploy /tmp/secured-webapp.war"

=> LEAK - the first deployment's ModuleClassLoader is not destroyed, because it's referenced through the LoginContext instance from the JBossCachedAuthenticationManager
Comment 1 Emmanuel Hugonnet (ehsavoie) 2014-06-16 06:49:39 UTC 
https://github.com/ehsavoie/jboss-eap/tree/BZ-1103735 waiting for new picketbox release.
Comment 2 Josef Cacek 2014-09-22 13:45:16 UTC 
Verification failed. I still see the ModuleClassLoader referenced from the DomainInfo.
Comment 3 Josef Cacek 2014-09-22 13:59:08 UTC 
Created attachment 940023 [details]
secured-webapp.war

Use the attached reproducer.
After the 2nd deployment use Eclipse Memory Analyzer (MAT) to dump the heap and make following steps:

1) Open OQL view and run following query:
SELECT f FROM org.jboss.modules.ModuleClassLoader f WHERE (f.module.identifier.name.toString() = "deployment.secured-webapp.war")

2) Select each entry and use context menu (right click) to run command:
Merge Shortest Paths to GC Roots->Exclude all phantom/weak/soft etc. references

3) Check the references (look at the attached screenshot)
Comment 4 Josef Cacek 2014-09-22 14:00:00 UTC 
Created attachment 940024 [details]
Screenshot - Eclipse MAT
Comment 6 Emmanuel Hugonnet (ehsavoie) 2014-10-17 12:51:08 UTC 
I don't see the same results as you Josef. Could you help me with MAT ?
The old module loader is still here BUT there is no references attached to it
Comment 7 Emmanuel Hugonnet (ehsavoie) 2014-10-20 12:56:00 UTC 
PR: https://github.com/jbossas/jboss-eap/pull/1822