Created attachment 34453 [details] Patch for disposing the delegated GSS credential GenericPrincipal#logout() implementation never frees GSSCredential on logout but the contract of GSSCredential#dispose() requires to be called as soon as this senstivive auth data is not needed anymore. A simple if (gssCredential != null) { gssCredential.dispose(); } can be added to the #logout() implementation. See http://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSCredential.html#dispose() of dispose(). This issue will likely apply to 9.0.x as well.
Thanks for the report and the patch. It has been fixed in: - trunk for 9.0.0.M14 onwards - 8.5.x for 8.5.9 onwards - 8.0.x for 8.0.40 onwards - 7.0.x for 7.0.74 onwards