Unclosed ResourceResolver warning at com.day.cq.search.impl.builder.QueryBuilderImpl

Issue

There is an unclosed session warning in logs originating from the QueryBuilderImpl class:

11.01.2018 01:03:18.878 *INFO* [Apache Sling Resource Resolver Finalizer Thread] org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl Unclosed ResourceResolver was created here: 
java.lang.Exception: Opening Stacktrace
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.<init>(CommonResourceResolverFactoryImpl.java:521)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:101)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:94)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
at com.day.cq.search.impl.builder.QueryBuilderImpl.createResourceResolver(QueryBuilderImpl.java:210)
at com.day.cq.search.impl.builder.QueryImpl.getResourceResolver(QueryImpl.java:231)
at com.day.cq.search.impl.result.HitImpl.getResource(HitImpl.java:108)
at com.day.cq.search.writer.SimpleHitWriter.writeSimpleJson(SimpleHitWriter.java:54)
at com.day.cq.search.writer.SimpleHitWriter.write(SimpleHitWriter.java:41)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.writeHits(QueryBuilderJsonServlet.java:165)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.handleQuery(QueryBuilderJsonServlet.java:113)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.doGet(QueryBuilderJsonServlet.java:73)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270)
at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:140)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378)
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)
at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)

Environment

AEM 6.3 SP1-CFP1

Cause

Known product bug CQ-4225849

This resourceresolver leak includes custom code using the QueryBuilder API and the /bin/querybuilder.* servlets (see QueryBuilderJsonServlet in the stack trace above).

Resolution

On live AEM sites, it is recommended that /bin/querybuilder URLs be blocked by the dispatcher.  These URLs can be used safely on (internal network facing) author instances, but on live sites, it has the potential to open the system to data disclosure.

The workaround for this bug is to avoid using the /bin/querybuilder servlet and instead use the QueryBuilder API. After calling the API, then manually close the ResourceResolver after processing the query result.

Sample code here.

For example, here is code leaking resource resolvers:

Query query = queryBuilder.createQuery(..., session);
SearchResult result = query.getResult();
for (Hit hit : result.getHits()) {
// do some processing
}

Workaround code:

// workaround: close internal resource resolver
Iterator<Resource> resources = result.getResources();
if (resources.hasNext()) {
resources.next().getResourceResolver().close();
}

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online