You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Michael Osipov (JIRA)" <ji...@apache.org> on 2018/08/05 20:49:00 UTC

[jira] [Commented] (HTTPCLIENT-1938) OS resources leak in HttpAuthenticator/WindowsNegotiateScheme

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1938?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16569577#comment-16569577 ] 

Michael Osipov commented on HTTPCLIENT-1938:
--------------------------------------------

This is basically a duplicate/subissue of HTTPCLIENT-1625. Both implementations JGSS and SSPI are broken in HttpClient because the implementor did not know what he was doing (completing the sercurity loop). I do not recommend using it in a production environment.

There is a lot of FUD in the internet. Unfortunately, I haven't yet found the time to make things right. This might change soon because I will start using it in a project. You might want to search for my other comments.

> OS resources leak in HttpAuthenticator/WindowsNegotiateScheme
> -------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1938
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1938
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (Windows)
>    Affects Versions: 4.5.3
>            Reporter: Marcin Krystianc
>            Priority: Major
>              Labels: Authentication, leak, negotiate
>
> I've discovered a resource leak in Http authentication process on Windows, when Negotiate method is used.  It manifests itself as a slow memory leak in {{lsass.exe}} process. Every time a Negotiate authentication is performed a handle to  client credentials and a handle to security context are leaked. The direct reason for it is that {{dispose()}} method from {{WindowsNegotiateScheme}} class is never called. 
> As far I understand the interaction between {{HttpAuthenticator}} and {{WindowsNegotiateScheme}}, it is caused by {{HttpAuthenticator}} not processing final authentication header, as it goes directly to the {{SUCCESS}} state. Without processing final authentication header, {{WindowsNegotiateScheme}} class doesn't have a chance to complete security context initialisation. which is the cause for not releasing OS resources.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org