Database/LDAP connection leak in sample passport interception scripts

By: Doug Harris named 17 Apr 2020 at 2:50 p.m. CDT

3 Responses
Doug Harris gravatar
We ran into an issue where oxAuth was crashing (too many open file descriptors) after a few hundred logins via oxPassport. The cause was the parseAllProviders(self) method in the sample passport interception scripts (e.g. [SamlPassportAuthenticator.py](https://github.com/GluuFederation/community-edition-setup/blob/master/static/extension/person_authentication/PassportExternalAuthenticator.py) and [PassportExternalAuthenticator.py](https://github.com/GluuFederation/community-edition-setup/blob/master/static/extension/person_authentication/PassportExternalAuthenticator.py). This method was instantiating a PersistenceEntryManager: `entryManager = CdiUtil.bean(AppInitializer).createPersistenceEntryManager()` ...and never closing/destroying it. Since this is called from prepareForStep() it leaks a connection with every login. We fixed it by adding a call to: `entryManager.destroy()` in a `finally:` block.
Rhel 7.0
closed

Answers

By Aliaksandr Samuseu staff 17 Apr 2020 at 4:31 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Doug. That's interesting, thank you a lot for the heads up. Assigning to somebody who is able to assess this report.

By Jose Gonzalez staff 18 Apr 2020 at 7:57 a.m. CDT

Copy
Jose Gonzalez gravatar
Thank you very much for reporting this Doug. We did adjustments for the upcoming 4.1.1. You can apply this [fix](https://github.com/GluuFederation/community-edition-setup/commit/429222878e25f14b1419d785360c8390dcbfa316) manually in your scripts if desired.

By Yuriy Movchan staff 20 Apr 2020 at 10:10 a.m. CDT

Copy
Yuriy Movchan gravatar
Thank you for report. Yes, script should reuse application scoped entryManger instance. This should work well: ``` from org.gluu.persist import PersistenceEntryManager ... entryManager = CdiUtil.bean(PersistenceEntryManager) ``` In this case we should not destory it after call

Post an answer