Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1237

Coverity, Resource leak in SecurityIdentity (Elytron)

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR3
    • Component/s: None
    • Labels:
      None

      Description

      Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.

          public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException {
              Assert.checkNotNullParam("principal", principal);
              // rewrite principal
              final SecurityManager sm = System.getSecurityManager();
              if (sm != null) {
                  sm.checkPermission(SET_RUN_AS_PERMISSION);
              }
      
              final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
              try {
                  if (! (context.importIdentity(this) && context.authorize(principal, authorize))) {
                      throw log.runAsAuthorizationFailed(this.principal, principal, null);
                  }
              } catch (RealmUnavailableException e) {
                  throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e);
              }
              return context.getAuthorizedIdentity();
          }
      
          public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException {
              final SecurityManager sm = System.getSecurityManager();
              if (sm != null) {
                  sm.checkPermission(SET_RUN_AS_PERMISSION);
              }
      
              final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
              if (! context.authorizeAnonymous(authorize)) {
                  throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null);
              }
              return context.getAuthorizedIdentity();
          }
      

      In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource

      try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
      

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525060&defectInstanceId=5116909&mergedDefectId=1440894&fileStart=376&fileEnd=625

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ivassile Ilia Vassilev
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: