Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5442

CXFAuthenticator causes classloader leaks

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.10
    • Fix Version/s: 2.6.12, 2.7.9
    • Component/s: Transports
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      org.apache.cxf.transport.http.CXFAuthenticator will cause classloader leaks.

      When CXFAuthenticator.addAuthenticator() is called, org.apache.cxf.transport.http.ReferencingAuthenticator is instantiated in a custom "dummy" URLClassLoader, and then wraps any pre-existing default Authenticator + weak references the CXFAuthenticator.

      In theory, this means that the classloader loading the CXFAuthenticator can be garbage collected, and then ReferencingAuthenticator.auth is cleared since CXFAuthenticator.instance is not strongly reachable from GC root.

      I won't say my conclusions are final, but this is how I think it happens: When the dummy URLClassLoader is instantiated, it inherits the ProtectionDomain that references the current classloader, which is the one that loaded CXFAuthenticator and thus there is a path to GC root (see screenshot) and the web app classloader is never garbage collected.

        Attachments

          Activity

            People

            • Assignee:
              dkulp Daniel Kulp
              Reporter:
              mate Mattias Jiderhamn

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment