[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-dev
Subject: [jira] [Updated] (RAMPART-337) Possible memory leak in the STS
From: "Erik Ostermueller (Updated) (JIRA)" <jira () apache ! org>
Date: 2011-10-31 14:17:32
Message-ID: 292911722.40899.1320070652356.JavaMail.tomcat () hel ! zones ! apache ! org
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/RAMPART-337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]
Erik Ostermueller updated RAMPART-337:
--------------------------------------
Attachment: RAMPART-337.zip
We've run into this issue also with axis 1.4 and rampart 1.6. This eventually fills \
up the entire heap, leading to crash.
The following link looks like the same problem.
http://mail-archives.apache.org/mod_mbox/ws-rampart-dev/201003.mbox/%3Cdf633b31003010505r2e2692b0v40f65e8e53c7192f@mail.gmail.com%3E
I've attached RAMPART-337.zip to this JIRA.
This contains our configuration files:
RAMPART-337_client.axis2.xml
RAMPART-337_ClientServicePolicy.xml
..and a patch to work around the problem (RAMPART-337_work-around-patch.zip)
The patch is working for us, but it is not very attractive.
If we have 10 concurrent threads executing, then all 10 are scanning SimpleTokenStore \
for expired Tokens. Seems more efficient to have a single background worker thread \
doing this.
There is a second "ugly" issue in the patch:
When we first coded the patch, we deleted all EXPIRED tokens, but only when the count \
reach a certain threshold (to lower overhead).
When we deleted all tokens, we got this exception:
org.apache.axis2.AxisFault: The signature or decryption was invalid (Unsupported key \
identification)
The full stack trace is at the end of this comment.
To fix this, we only deleted the oldest of the EXPIRED tokens.
Interestingly enough, we got this same exception with the following 1-line version of \
the patch, which we had to abandon b/c it throws an exception:
{code}
org/apache/rampart/TokenCallbackHandler.java
public void handle(Callback[] callbacks) throws IOException, \
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
String id = pc.getIdentifer();
if((pc.getUsage() == WSPasswordCallback.SECURITY_CONTEXT_TOKEN ||
pc.getUsage() == WSPasswordCallback.CUSTOM_TOKEN) &&
this.store != null) {
Token tok;
try {
//Pick up the token from the token store
tok = this.store.getToken(id);
if(tok != null) {
//Get the secret and set it in the callback object
pc.setKey(tok.getSecret());
pc.setCustomToken((Element)tok.getToken());
tokenIdentifier = tok.getId();
// #########################################################################
// #### Adding the above line to rampart 1.6 _looks_ like it will fix \
RAMPART-337. // #### Unfortunately, it causes the following error.
// ####
// #### ERROR - The signature or decryption was invalid (Unsupported key \
identification)
// #### org.apache.axis2.AxisFault: The signature or decryption was invalid \
(Unsupported key identification)
// #### at \
org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
// #### at \
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) // ####
// #########################################################################
{code}
Here is the full stack trace for the exception:
{code}
ERROR - The signature or decryption was invalid (Unsupported key identification)
org.apache.axis2.AxisFault: The signature or decryption was invalid (Unsupported key \
identification) at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
at org.apache.axis2.engine.Phase.invoke(Phase.java:318)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:251)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:160)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:417)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at cardpartnerapi.edo.services.DashboardAPIProxy_v1_1Stub.getAcceptedPrewards(DashboardAPIProxy_v1_1Stub.java:2752)
at com.fnis.ally.dashboard.DashBoardServicesAction.processgetAcceptedPrewards(Unknown \
Source) at com.sanchez.manager.DebitCardRewardServices.getOfferring_AcceptedPrewards(Unknown \
Source) at com.sanchez.form.DebitCardRewardsForm.getOffers(Unknown Source)
at com.sanchez.manager.DebitCardRewardServices.getOfferring_AcceptedPrewards(Unknown \
Source) at com.sanchez.form.DebitCardRewardsForm.getOffers(Unknown Source)
at com.sanchez.controller.DebitCardRewardsAction.unspecified(Unknown Source)
at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:256)
at org.apache.struts.actions.DispatchAction.execute(DispatchAction.java:194)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at com.sanchez.base.SecureRequestProcessor.handleActionPerform(Unknown Source)
at com.sanchez.base.SecureRequestProcessor.processActionPerform(Unknown Source)
at com.fnis.ally.auth.SiteMinderRequestProcessor.processActionPerform(Unknown Source)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1194)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.sanchez.base.URLSessionIdScrubber.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at com.sanchez.base.LoggerFilter.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption \
was invalid (Unsupported key identification) at \
org.apache.ws.security.processor.ReferenceListProcessor.getKeyFromSecurityTokenReference(ReferenceListProcessor.java:332)
at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:160)
at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:111)
at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:74)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:150)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92)
... 44 more
{code}
> Possible memory leak in the STS implmentation due to the exisitng mechanism of \
> storing tokens.
> ----------------------------------------------------------------------------------------------
>
> Key: RAMPART-337
> URL: https://issues.apache.org/jira/browse/RAMPART-337
> Project: Rampart
> Issue Type: Improvement
> Reporter: Hasini Gunasinghe
> Attachments: RAMPART-337.zip
>
>
> In the current implementation issued tokens are stored in a TokenStore and retiring \
> tokens from the token store is not taken into consideration which can lead to an \
> out of memory situation after sometime.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic