Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5442

CXFAuthenticator causes classloader leaks

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.10
    • Fix Version/s: 2.6.12, 2.7.9
    • Component/s: Transports
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      org.apache.cxf.transport.http.CXFAuthenticator will cause classloader leaks.

      When CXFAuthenticator.addAuthenticator() is called, org.apache.cxf.transport.http.ReferencingAuthenticator is instantiated in a custom "dummy" URLClassLoader, and then wraps any pre-existing default Authenticator + weak references the CXFAuthenticator.

      In theory, this means that the classloader loading the CXFAuthenticator can be garbage collected, and then ReferencingAuthenticator.auth is cleared since CXFAuthenticator.instance is not strongly reachable from GC root.

      I won't say my conclusions are final, but this is how I think it happens: When the dummy URLClassLoader is instantiated, it inherits the ProtectionDomain that references the current classloader, which is the one that loaded CXFAuthenticator and thus there is a path to GC root (see screenshot) and the web app classloader is never garbage collected.

      1. cxf.jpg
        37 kB
        Mattias Jiderhamn

        Activity

        Show
        mate Mattias Jiderhamn added a comment - A test case to demonstrate the issue is now available here: https://github.com/mjiderhamn/classloader-leak-prevention/blob/master/src/test/java/se/jiderhamn/classloader/leak/prevention/CXFAuthenticatorTest.java
        Hide
        mate Mattias Jiderhamn added a comment -

        Version 1.9.0 of https://github.com/mjiderhamn/classloader-leak-prevention should now provide a workaround for this issue.

        Show
        mate Mattias Jiderhamn added a comment - Version 1.9.0 of https://github.com/mjiderhamn/classloader-leak-prevention should now provide a workaround for this issue.
        Hide
        dkulp Daniel Kulp added a comment -

        Little more reflection magic and I think this is now resolved. Confirmation would be great.

        Show
        dkulp Daniel Kulp added a comment - Little more reflection magic and I think this is now resolved. Confirmation would be great.
        Hide
        mate Mattias Jiderhamn added a comment -

        Running my leak detecting test case against the 2.6.x SVN sources, it seems that setting loader.acc to null does the trick.
        I have yet to test this in a deployed environment (possibly AccessController.doPrivileged() also makes a difference then) but likely the problem has been fixed.

        Show
        mate Mattias Jiderhamn added a comment - Running my leak detecting test case against the 2.6.x SVN sources, it seems that setting loader.acc to null does the trick. I have yet to test this in a deployed environment (possibly AccessController.doPrivileged() also makes a difference then) but likely the problem has been fixed.

          People

          • Assignee:
            dkulp Daniel Kulp
            Reporter:
            mate Mattias Jiderhamn
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development