Bug 60379 - GenericPrincipal never frees GSSCredential
Summary: GenericPrincipal never frees GSSCredential
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 major (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on: 60380
Blocks:
  Show dependency tree
 
Reported: 2016-11-16 10:16 UTC by Michael Osipov
Modified: 2016-11-21 16:57 UTC (History)
0 users


Attachments
Patch for disposing the delegated GSS credential (483 bytes, patch)
2016-11-16 10:16 UTC, Michael Osipov 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2016-11-16 10:16:11 UTC 
Created attachment 34453 [details]
Patch for disposing the delegated GSS credential

GenericPrincipal#logout() implementation never frees GSSCredential on logout but the contract of GSSCredential#dispose() requires to be called as soon as this senstivive auth data is not needed anymore.

A simple
if (gssCredential != null) {
    gssCredential.dispose();
}

can be added to the #logout() implementation.

See http://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSCredential.html#dispose() of dispose().

This issue will likely apply to 9.0.x as well.
Comment 1 Mark Thomas 2016-11-21 16:57:19 UTC 
Thanks for the report and the patch.

It has been fixed in:
- trunk for 9.0.0.M14 onwards
- 8.5.x for 8.5.9 onwards
- 8.0.x for 8.0.40 onwards
- 7.0.x for 7.0.74 onwards