Bug 60379

Summary: GenericPrincipal never frees GSSCredential
Product: Tomcat 8 Reporter: Michael Osipov <michaelo>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 8.5.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   
Bug Depends on: 60380    
Bug Blocks:    
Attachments: Patch for disposing the delegated GSS credential

Description Michael Osipov 2016-11-16 10:16:11 UTC 
Created attachment 34453 [details]
Patch for disposing the delegated GSS credential

GenericPrincipal#logout() implementation never frees GSSCredential on logout but the contract of GSSCredential#dispose() requires to be called as soon as this senstivive auth data is not needed anymore.

A simple
if (gssCredential != null) {
    gssCredential.dispose();
}

can be added to the #logout() implementation.

See http://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSCredential.html#dispose() of dispose().

This issue will likely apply to 9.0.x as well.
Comment 1 Mark Thomas 2016-11-21 16:57:19 UTC 
Thanks for the report and the patch.

It has been fixed in:
- trunk for 9.0.0.M14 onwards
- 8.5.x for 8.5.9 onwards
- 8.0.x for 8.0.40 onwards
- 7.0.x for 7.0.74 onwards