[jira] [Created] (ARTEMIS-5700) KubernetesLoginModule doesn't control HttpClient instances

Thu, 09 Oct 2025 22:35:08 -0700 

Grzegorz Grzybek created ARTEMIS-5700:
-----------------------------------------

             Summary: KubernetesLoginModule doesn't control HttpClient instances
                 Key: ARTEMIS-5700
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5700
             Project: ActiveMQ Artemis
          Issue Type: Bug
            Reporter: Grzegorz Grzybek


After some heap dump analysis, I realized that a scenario where 
{{org.apache.activemq.artemis.spi.core.security.jaas.KubernetesLoginModule}} is 
used as JAAS login module is inefficient.

JAAS' LoginContext _instantiates_ the login modules on each {{lc.login()}} and 
we have:
{code:java}
public KubernetesLoginModule(KubernetesClient client) {
   this.client = client;
}
public KubernetesLoginModule() {
   this(new KubernetesClientImpl());
}
{code}

{{org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClientImpl}}
 calls this in {{getTokenReview()}}:
{code:java}
HttpClient client = HttpClient.newBuilder().sslContext(ctx).build();
HttpRequest request = HttpRequest.newBuilder(apiUri)
      .header("Authorization", "Bearer " + authToken)
      .header("Accept", "application/json; charset=utf-8")
      .POST(HttpRequest.BodyPublishers.ofString(jsonRequest)).build();
logger.debug("Submit TokenReview request to Kubernetes API");
try {
   HttpResponse<String> response = client.send(request, 
BodyHandlers.ofString());
   if (response.statusCode() == HTTP_CREATED) {
      logger.debug("Received valid TokenReview response");
      return TokenReview.fromJsonString(response.body());
   }
   logger.error("Unable to retrieve a valid TokenReview. Received StatusCode: 
{}. Body: {}",
         response.statusCode(), response.body());
} catch (IOException | InterruptedException e) {
   logger.error("Unable to request ReviewToken", e);
}
return tokenReview;
{code}

The point is that {{jdk.internal.net.http.HttpClientImpl}} is not closeable and 
is supposed to be reused.
{{jdk.internal.net.http.AuthenticationFilter#caches}} holds the weak map of 
clients, but without GC the number of instances will grow unnecessarily.

Also creation of HttpClient is not negligible when doing token reviews so often.

----

I'm just finishing big Jolokia changes related to JAAS and authentication and 
may at some point review JAAS usage in AMQ.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact

Reply via email to