Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1103735 - Classloader leak in JBossCachedAuthenticationManager
Classloader leak in JBossCachedAuthenticationManager
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.3.0
Unspecified Unspecified
unspecified Severity high
: DR7
: EAP 6.4.0
Assigned To: Emmanuel Hugonnet (ehsavoie)
Pavel Slavicek
ShouldBeFixed
:
Depends On:
Blocks: 1139561
  Show dependency treegraph
 
Reported: 2014-06-02 08:39 EDT by Josef Cacek
Modified: 2018-06-07 17:31 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
secured-webapp.war (6.27 KB, application/zip)
2014-09-22 09:59 EDT, Josef Cacek 		no flags Details
Screenshot - Eclipse MAT (337.43 KB, image/png)
2014-09-22 10:00 EDT, Josef Cacek 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-3429 Critical Resolved Classloader leak in JBossCachedAuthenticationManager 2017-10-09 21:48 EDT

  None (edit)
Description Josef Cacek 2014-06-02 08:39:23 EDT 
When using a security domain with cache-type="default" then the ModuleClassLoader instances related to deployments leak through JBossCachedAuthenticationManager.

The problematic piece of code is the domainCache member variable which in the DomainInfo value holds a LoginContext instance. This LoginContext has member contextClassLoader which causes the leak. (It points to the ModuleClassLoader of the deployment).

One option to solve this issue could be to remove the cache entries which are related to the undeployed application.

Steps to reproduce:

1) Add a user to the ApplicationRealm (linked with "other" security domain)
./add-user.sh -a -u user1 -p password1! -r ApplicationRealm -g app-user

2) start the AS
./standalone.sh

2) deploy a web application with a secured servlet allowing access to role "app-user" (No security domain is referenced in the jboss-web.xml, so the default domain "other" is used.)
./jboss-cli -c "deploy /tmp/secured-webapp.war"

3) open the servlet URL in the browser and login as a "user1" with password "password1!"

4) redeploy the application
./jboss-cli -c "undeploy secured-webapp.war"
./jboss-cli -c "deploy /tmp/secured-webapp.war"

=> LEAK - the first deployment's ModuleClassLoader is not destroyed, because it's referenced through the LoginContext instance from the JBossCachedAuthenticationManager
Comment 1 Emmanuel Hugonnet (ehsavoie) 2014-06-16 02:49:39 EDT 
https://github.com/ehsavoie/jboss-eap/tree/BZ-1103735 waiting for new picketbox release.
Comment 2 Josef Cacek 2014-09-22 09:45:16 EDT 
Verification failed. I still see the ModuleClassLoader referenced from the DomainInfo.
Comment 3 Josef Cacek 2014-09-22 09:59:08 EDT 
Created attachment 940023 [details]
secured-webapp.war

Use the attached reproducer.
After the 2nd deployment use Eclipse Memory Analyzer (MAT) to dump the heap and make following steps:

1) Open OQL view and run following query:
SELECT f FROM org.jboss.modules.ModuleClassLoader f WHERE (f.module.identifier.name.toString() = "deployment.secured-webapp.war")

2) Select each entry and use context menu (right click) to run command:
Merge Shortest Paths to GC Roots->Exclude all phantom/weak/soft etc. references

3) Check the references (look at the attached screenshot)
Comment 4 Josef Cacek 2014-09-22 10:00:00 EDT 
Created attachment 940024 [details]
Screenshot - Eclipse MAT
Comment 6 Emmanuel Hugonnet (ehsavoie) 2014-10-17 08:51:08 EDT 
I don't see the same results as you Josef. Could you help me with MAT ?
The old module loader is still here BUT there is no references attached to it
Comment 7 Emmanuel Hugonnet (ehsavoie) 2014-10-20 08:56:00 EDT 
PR: https://github.com/jbossas/jboss-eap/pull/1822
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.