You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Edgar Poce (JIRA)" <ji...@apache.org> on 2006/06/16 14:28:29 UTC
[jira] Created: (JCR-464) Prevent out of memory errors
Prevent out of memory errors
----------------------------
Key: JCR-464
URL: http://issues.apache.org/jira/browse/JCR-464
Project: Jackrabbit
Type: Improvement
Components: core
Reporter: Edgar Poce
Priority: Minor
Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (JCR-464) Prevent out of memory errors
Posted by "Edgar Poce (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-464?page=comments#action_12416496 ]
Edgar Poce commented on JCR-464:
--------------------------------
sure, but an anonymous session can write and make use of the transient space, IMHO it yields a security issue.
e.g. if the CRX demo used the same approach than jackrabbit an anonymous user could connect to the demo and create nodes and properties without saving until the jvm runs out of memory.
code example to kill the process:
RepositoryConfig c = RepositoryConfig.create(
"/temp/jackrabbit/repository.xml", "/temp/jackrabbit");
Repository r = RepositoryImpl.create(c);
Session s = r.login();
for (int i = 0; i < 1000000; i++) {
Node n = s.getRootNode().addNode("node" + i);
n.setProperty("property" + i, "property" + i);
}
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Type: Improvement
> Components: core
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (JCR-464) Prevent out of memory errors
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-464?page=all ]
Jukka Zitting updated JCR-464:
------------------------------
Fix Version: 1.1
Version: 0.9
1.0
1.0.1
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Type: Improvement
> Components: core
> Versions: 1.0, 1.0.1, 0.9
> Reporter: Edgar Poce
> Priority: Minor
> Fix For: 1.1
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (JCR-464) Prevent out of memory errors
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-464?page=all ]
Jukka Zitting updated JCR-464:
------------------------------
Fix Version/s: (was: 1.1)
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Issue Type: Improvement
> Components: core
> Affects Versions: 1.0, 1.0.1, 0.9
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (JCR-464) Prevent out of memory errors
Posted by "Michael Marth (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12568859#action_12568859 ]
Michael Marth commented on JCR-464:
-----------------------------------
This problem affects me in more ways than is described above. If I create a large node with many sub nodes I cannot copy the node anymore (because I run out of memory). Also, I cannot delete the node anymore (same reason).
Both problems might be worked around on a programmatic layer, but for a user that uses a GUI this problem he can hardly get around. I suggest to increase the severity of this problem and to treat it as a bug rather than an improvement.
Some test code below. This results in an out of mem exception on my JVM. (Obviously, this depends on the heap size one uses)
for (int i = 0; i < 20; i++) {
Node n = mynode.addNode("node" + i);
n.setProperty("property" + i, "property" + i);
session.save();
for (int j = 0; j < 2000; j++) {
Node n2 = n.addNode("node" + j);
n2.setProperty("property" + j, "property" + j);
}
session.save();
}
session.save();
Workspace workspace = session.getWorkspace();
workspace.copy(mynode.getPath(), myOtherNode.getPath());
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: https://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Issue Type: Improvement
> Components: jackrabbit-core
> Affects Versions: 0.9, 1.0, 1.0.1
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (JCR-464) Prevent out of memory errors
Posted by "Jukka Zitting (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-464?page=comments#action_12416581 ]
Jukka Zitting commented on JCR-464:
-----------------------------------
I agree that this should be solved somehow, I've seen a real-life case where this caused the repository to run out of memory while importing a large (but not huge) XML document.
A short term solution would be to make the maximum size of the transient space configurable. A longer term solution would be to make the transient space backed by temporary storage (e.g. by using a transient persistence manager) when it grows too large.
In general I don't think it will be feasible or even preferable to prevent denial of service attacks on the JCR API level, so I wouldn't count that as a too high priority, but I think that there are legitimate use cases for working with transient spaces that might exceed the amount of available memory especially in a shared environment like a web server.
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Type: Improvement
> Components: core
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (JCR-464) Prevent out of memory errors
Posted by "Stefan Guggisberg (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/JCR-464?page=comments#action_12416486 ]
Stefan Guggisberg commented on JCR-464:
---------------------------------------
> Even an anonymous session can kill the jvm,
AFAIK not if it just performs read operations.
the relevant internal caches are all memory sensitive.
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Type: Improvement
> Components: core
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira