Patch for client connection leak when using digest authentication

alessandro.gherardi · alessandro.gherardi · commit 1d14eb555a42 · 2017-04-30T19:14:55.000-06:00
diff --git a/core-client/src/main/java/org/glassfish/jersey/client/authentication/BasicAuthenticator.java b/core-client/src/main/java/org/glassfish/jersey/client/authentication/BasicAuthenticator.java
@@ -40,6 +40,8 @@
 
 package org.glassfish.jersey.client.authentication;
 
+import java.io.IOException;
+
 import javax.ws.rs.client.ClientRequestContext;
 import javax.ws.rs.client.ClientResponseContext;
 import javax.ws.rs.core.HttpHeaders;
@@ -113,7 +115,8 @@ public void filterRequest(ClientRequestContext request) throws RequestAuthentica
      * new request was done with digest authentication information and authentication was successful.
      * @throws ResponseAuthenticationException in case that basic credentials missing or are in invalid format
      */
-    public boolean filterResponseAndAuthenticate(ClientRequestContext request, ClientResponseContext response) {
+    public boolean filterResponseAndAuthenticate(ClientRequestContext request, ClientResponseContext response)
+            throws IOException {
         final String authenticate = response.getHeaders().getFirst(HttpHeaders.WWW_AUTHENTICATE);
         if (authenticate != null && authenticate.trim().toUpperCase().startsWith("BASIC")) {
             HttpAuthenticationFilter.Credentials credentials = HttpAuthenticationFilter
diff --git a/core-client/src/main/java/org/glassfish/jersey/client/authentication/HttpAuthenticationFilter.java b/core-client/src/main/java/org/glassfish/jersey/client/authentication/HttpAuthenticationFilter.java
@@ -292,10 +292,20 @@ private void updateCache(ClientRequestContext request, boolean success, Type ope
      * @param newAuthorizationHeader {@code Authorization} header that should be added to the new request.
      * @return {@code true} is the authentication was successful ({@code true} if 401 response code was not returned;
      * {@code false} otherwise).
+     * @throws IOException
      */
-    static boolean repeatRequest(ClientRequestContext request, ClientResponseContext response, String newAuthorizationHeader) {
-        Client client = request.getClient();
+    static boolean repeatRequest(ClientRequestContext request, ClientResponseContext response, String newAuthorizationHeader)
+            throws IOException{
+        // If the failed response has an entity stream, close it. We must do this to avoid leaking a connection
+        // when we replace the entity stream of the failed response with that of the repeated response (see below).
+        // Notice that by closing the entity stream before sending the repeated request we allow the connection allocated
+        // to the failed request to be reused, if possible, for the repeated request.
+        if (response.hasEntity()) {
+            response.getEntityStream().close();
+            response.setEntityStream(null);
+        }
 
+        Client client = request.getClient();
         String method = request.getMethod();
         MediaType mediaType = request.getMediaType();
         URI lUri = request.getUri();
