amazon-corretto-crypto-provider icon indicating copy to clipboard operation
amazon-corretto-crypto-provider copied to clipboard

Published 20 hours ago verified publisher icon corretto

Needs an `uninstall`

Open trajano opened this issue 4 years ago • 7 comments

When starting this up using a ServletContextListener and terminating the application it says that there are ThreadLocals that are still remaining.

Calling Security.removeProvider doesn't resolve the threadlocal issues

public class InstallCorretto implements ServletContextListener {

    /**
     * Servlet context attribute key.
     */
    public static final String CONTEXT = "useCorretto";

    @Override
    public void contextDestroyed(@NotNull final ServletContextEvent sce) {

        Security.removeProvider(AmazonCorrettoCryptoProvider.PROVIDER_NAME);
        sce.getServletContext().removeAttribute(CONTEXT);

    }

    @Override
    public void contextInitialized(@NotNull final ServletContextEvent sce) {

        AmazonCorrettoCryptoProvider.install();
        sce.getServletContext().setAttribute(CONTEXT, true);

    }
}

Here's the output when terminating. image

trajano avatar Aug 08 '20 02:08 trajano

Our primary recommendation is to install ACCP at the server level rather than within a servlet or webapp. However, we will look into ways to address this.

Do you have any information on how other libraries have addressed this issue?

SalusaSecondus avatar Aug 27 '20 19:08 SalusaSecondus

The best way I can think of is to create a webapp which loads up Cornetto as part of the servlet context Then tell it to restart and see what is left over.

However, Security.removeProvider(AmazonCorrettoCryptoProvider.PROVIDER_NAME); should be the correct way of doing it.

trajano avatar Aug 27 '20 19:08 trajano

Security.removeProvider() does uninstall the provider from the standard list. However it looks like all use of static ThreadLocals are problems for this use-case. I'll keep investigating, but I'm not certain the best method yet.

SalusaSecondus avatar Aug 28 '20 20:08 SalusaSecondus

I asked SO for some assitance on this https://stackoverflow.com/questions/63623208/how-do-i-determine-if-there-are-any-lingering-threadlocals-or-threads-on-java-wi?noredirect=1#comment112508343_63623208

This answer shows how to remove but I don't recommend you do it. But somehow change it so that it lists them.

https://stackoverflow.com/questions/29269277/how-to-identify-and-remove-threads-threadlocals-initiated-from-our-webapp-in-jav/29641045#29641045

trajano avatar Aug 28 '20 20:08 trajano

I have a few ideas of ways to fix this by eliminating most of my static fields which chain to thread locals (and am investigating them). However, instantiating cryptographic providers of any time (not just ACCP) can be computationally expensive. You really should try to install it once at the server level and leave it installed and alone.

SalusaSecondus avatar Aug 28 '20 21:08 SalusaSecondus

Yup I already have done that. It was more for the uncerntainty before

(Edited by SalusaSecondus to remove weird formatting and HTML from email response)

trajano avatar Aug 28 '20 21:08 trajano

Note I'm labelling this as "enhancement" given our recommendation against use cases that require uninstallation. It still may be better to use ThreadLocals in a friendlier way, but sounds like more investigation is still needed.

robin-aws avatar Nov 27 '20 00:11 robin-aws