Issue
There is an unclosed session warning in logs originating from the QueryBuilderImpl class:
11.01.2018 01:03:18.878 *INFO* [Apache Sling Resource Resolver Finalizer Thread] org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl Unclosed ResourceResolver was created here: java.lang.Exception: Opening Stacktrace at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.<init>(CommonResourceResolverFactoryImpl.java:521) at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218) at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:101) at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:94) at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263) at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173) at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105) at com.day.cq.search.impl.builder.QueryBuilderImpl.createResourceResolver(QueryBuilderImpl.java:210) at com.day.cq.search.impl.builder.QueryImpl.getResourceResolver(QueryImpl.java:231) at com.day.cq.search.impl.result.HitImpl.getResource(HitImpl.java:108) at com.day.cq.search.writer.SimpleHitWriter.writeSimpleJson(SimpleHitWriter.java:54) at com.day.cq.search.writer.SimpleHitWriter.write(SimpleHitWriter.java:41) at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.writeHits(QueryBuilderJsonServlet.java:165) at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.handleQuery(QueryBuilderJsonServlet.java:113) at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.doGet(QueryBuilderJsonServlet.java:73) at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270) at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:140) at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346) at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378) at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552) at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)
Environment
AEM 6.3 SP1-CFP1
Cause
Known product bug CQ-4225849
This resourceresolver leak includes custom code using the QueryBuilder API and the /bin/querybuilder.* servlets (see QueryBuilderJsonServlet in the stack trace above).
Resolution
On live AEM sites, it is recommended that /bin/querybuilder URLs be blocked by the dispatcher. These URLs can be used safely on (internal network facing) author instances, but on live sites, it has the potential to open the system to data disclosure.
The workaround for this bug is to avoid using the /bin/querybuilder servlet and instead use the QueryBuilder API. After calling the API, then manually close the ResourceResolver after processing the query result.
Sample code here.
For example, here is code leaking resource resolvers:
Query query = queryBuilder.createQuery(..., session); SearchResult result = query.getResult(); for (Hit hit : result.getHits()) { // do some processing }
Workaround code:
// workaround: close internal resource resolver Iterator<Resource> resources = result.getResources(); if (resources.hasNext()) { resources.next().getResourceResolver().close(); }