this.securityPolicyProtection = securityPolicyProtection;
}
- /**
+ /**
+ * Protect against the memory leak caused when the first call to
+ * <code>javax.security.auth.login.Configuration</code> is triggered by a web
+ * application. This first call populate a static variable with a reference
+ * to the context class loader. Defaults to <code>true</code>.
+ */
+ private boolean securityLoginConfigurationProtection = true;
+ public boolean isSecurityLoginConfigurationProtection() {
+ return securityLoginConfigurationProtection;
+ }
+ public void setSecurityLoginConfigurationProtection(boolean securityLoginConfigurationProtection) {
+ this.securityLoginConfigurationProtection = securityLoginConfigurationProtection;
+ }
+
+ /**
* Protect against the memory leak, when the initialization of the
* Java Cryptography Architecture is triggered by initializing
* a MessageDigest during web application deployment.
}
}
+
+ /*
+ * Initializing javax.security.auth.login.Configuration retains a static reference to the context
+ * class loader.
+ */
+ if (securityLoginConfigurationProtection) {
+ try {
+ Class.forName("javax.security.auth.login.Configuration", true, ClassLoader.getSystemClassLoader());
+ } catch(ClassNotFoundException e) {
+ // Ignore
+ }
+ }
+
/*
* Creating a MessageDigest during web application startup
* initializes the Java Cryptography Architecture. Under certain
<subsection name="Catalina">
<changelog>
<add>
+ <bug>50282</bug>: Load <code>javax.security.auth.login.Configuration</code>
+ with <code>JreMemoryLeakPreventionListener</code> to avoid memory leak
+ when stopping a webapp that would use JAAS.
+ (slaurent)
+ </add>
+ <add>
<bug>48973</bug>: Avoid creating a SESSIONS.ser file when stopping an
application if there's no session. Patch provided by Marc Guillemot.
(slaurent)
trigger a memory leak on reload. Defaults to <code>true</code>.</p>
</attribute>
+ <attribute name="securityLoginConfigurationProtection" required="false">
+ <p>Enables protection so that usage of the
+ <code>javax.security.auth.login.Configuration</code> class by a web
+ application does not in a memory leak. The first access of this class will
+ trigger the initializer that will retain a static reference to the context
+ class loader. The protection loads the class with the system classloader
+ to ensure that the static initializer is not triggered by web application.
+ Defaults to <code>true</code>.</p>
+ </attribute>
+
<attribute name="securityPolicyProtection" required="false">
<p>Enables protection so that usage of the deprecated
<code>javax.security.auth.Policy</code> class by a web application does not
projects / tomcat7.0 / commitdiff