Bug 60379 - GenericPrincipal never frees GSSCredential
Summary: GenericPrincipal never frees GSSCredential
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 major (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on: 60380
  Show dependency tree
Reported: 2016-11-16 10:16 UTC by Michael Osipov
Modified: 2016-11-21 16:57 UTC (History)
0 users

Patch for disposing the delegated GSS credential (483 bytes, patch)
2016-11-16 10:16 UTC, Michael Osipov
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Osipov 2016-11-16 10:16:11 UTC
Created attachment 34453 [details]
Patch for disposing the delegated GSS credential

GenericPrincipal#logout() implementation never frees GSSCredential on logout but the contract of GSSCredential#dispose() requires to be called as soon as this senstivive auth data is not needed anymore.

A simple
if (gssCredential != null) {

can be added to the #logout() implementation.

See http://docs.oracle.com/javase/7/docs/api/org/ietf/jgss/GSSCredential.html#dispose() of dispose().

This issue will likely apply to 9.0.x as well.
Comment 1 Mark Thomas 2016-11-21 16:57:19 UTC
Thanks for the report and the patch.

It has been fixed in:
- trunk for 9.0.0.M14 onwards
- 8.5.x for 8.5.9 onwards
- 8.0.x for 8.0.40 onwards
- 7.0.x for 7.0.74 onwards