Venki Korukanti created DRILL-4353:
--------------------------------------
Summary: Expired sessions in web server are not cleaning up
resources, leading to resource leak
Key: DRILL-4353
URL: https://issues.apache.org/jira/browse/DRILL-4353
Project: Apache Drill
Issue Type: Bug
Components: Web Server, Client - HTTP
Affects Versions: 1.5.0
Reporter: Venki Korukanti
Assignee: Venki Korukanti
Priority: Blocker
Fix For: 1.5.0
Currently we store the session resources (including DrillClient) in attribute
{{SessionAuthentication}} object which implements
{{HttpSessionBindingListener}}. Whenever a session is invalidated, all
attributes are removed and if an attribute class implements
{{HttpSessionBindingListener}}, listener is informed. {{SessionAuthentication}}
implementation of {{HttpSessionBindingListener}} logs out the user which
includes cleaning up the resources as well, but {{SessionAuthentication}}
relies on ServletContext stored in thread local variable (see
[here|https://github.com/eclipse/jetty.project/blob/jetty-9.1.5.v20140505/jetty-security/src/main/java/org/eclipse/jetty/security/authentication/SessionAuthentication.java#L88]).
In case of thread that cleans up the expired sessions there is no
{{ServletContext}} in thread local variable, leading to not logging out the
user properly and resource leak.
Fix: Add {{HttpSessionEventListener}} to cleanup the {{SessionAuthentication}}
and resources every time a HttpSession is expired or invalidated.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
