javax.security.auth.login.Configuration is triggered by a web
+ * application. This first call populate a static variable with a reference
+ * to the context class loader. Defaults to true.
+ */
+ private boolean securityLoginConfigurationProtection = true;
+ public boolean isSecurityLoginConfigurationProtection() {
+ return securityLoginConfigurationProtection;
+ }
+ public void setSecurityLoginConfigurationProtection(boolean securityLoginConfigurationProtection) {
+ this.securityLoginConfigurationProtection = securityLoginConfigurationProtection;
+ }
+
+ /**
* Protect against the memory leak, when the initialization of the
* Java Cryptography Architecture is triggered by initializing
* a MessageDigest during web application deployment.
@@ -274,7 +288,20 @@
}
}
+
/*
+ * Initializing javax.security.auth.login.Configuration retains a static reference to the context
+ * class loader.
+ */
+ if (securityLoginConfigurationProtection) {
+ try {
+ Class.forName("javax.security.auth.login.Configuration", true, ClassLoader.getSystemClassLoader());
+ } catch(ClassNotFoundException e) {
+ // Ignore
+ }
+ }
+
+ /*
* Creating a MessageDigest during web application startup
* initializes the Java Cryptography Architecture. Under certain
* conditions this starts a Token poller thread with TCCL equal
--- webapps/docs/config/listeners.xml (revision 1036595)
+++ webapps/docs/config/listeners.xml (working copy)
@@ -270,6 +270,16 @@
trigger a memory leak on reload. Defaults to true.
+ Enables protection so that usage of the
+ javax.security.auth.login.Configuration class by a web
+ application does not in a memory leak. The first access of this class will
+ trigger the initializer that will retain a static reference to the context
+ class loader. The protection loads the class with the system classloader
+ to ensure that the static initializer is not triggered by web application.
+ Defaults to true.
Enables protection so that usage of the deprecated
javax.security.auth.Policy class by a web application does not