Issue

There is an unclosed session warning in logs originating from the QueryBuilderImpl class:

11.01.2018 01:03:18.878 *INFO* [Apache Sling Resource Resolver Finalizer Thread] org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl Unclosed ResourceResolver was created here: 
java.lang.Exception: Opening Stacktrace
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl$ResolverReference.<init>(CommonResourceResolverFactoryImpl.java:521)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.register(CommonResourceResolverFactoryImpl.java:218)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:101)
at org.apache.sling.resourceresolver.impl.ResourceResolverImpl.<init>(ResourceResolverImpl.java:94)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolverInternal(CommonResourceResolverFactoryImpl.java:263)
at org.apache.sling.resourceresolver.impl.CommonResourceResolverFactoryImpl.getResourceResolver(CommonResourceResolverFactoryImpl.java:173)
at org.apache.sling.resourceresolver.impl.ResourceResolverFactoryImpl.getResourceResolver(ResourceResolverFactoryImpl.java:105)
at com.day.cq.search.impl.builder.QueryBuilderImpl.createResourceResolver(QueryBuilderImpl.java:210)
at com.day.cq.search.impl.builder.QueryImpl.getResourceResolver(QueryImpl.java:231)
at com.day.cq.search.impl.result.HitImpl.getResource(HitImpl.java:108)
at com.day.cq.search.writer.SimpleHitWriter.writeSimpleJson(SimpleHitWriter.java:54)
at com.day.cq.search.writer.SimpleHitWriter.write(SimpleHitWriter.java:41)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.writeHits(QueryBuilderJsonServlet.java:165)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.handleQuery(QueryBuilderJsonServlet.java:113)
at com.day.cq.search.impl.servlets.QueryBuilderJsonServlet.doGet(QueryBuilderJsonServlet.java:73)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270)
at org.apache.sling.api.servlets.SlingAllMethodsServlet.mayService(SlingAllMethodsServlet.java:140)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346)
at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378)
at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)
at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)

Environment

AEM 6.3 SP1-CFP1

Cause

Known product bug CQ-4225849

This resourceresolver leak includes custom code using the QueryBuilder API and the /bin/querybuilder.* servlets (see QueryBuilderJsonServlet in the stack trace above).

Resolution

On live AEM sites, it is recommended that /bin/querybuilder URLs be blocked by the dispatcher.  These URLs can be used safely on (internal network facing) author instances, but on live sites, it has the potential to open the system to data disclosure.

The workaround for this bug is to avoid using the /bin/querybuilder servlet and instead use the QueryBuilder API. After calling the API, then manually close the ResourceResolver after processing the query result.

Sample code here.

For example, here is code leaking resource resolvers:

Query query = queryBuilder.createQuery(..., session);
SearchResult result = query.getResult();
for (Hit hit : result.getHits()) {
// do some processing
}

Workaround code:

// workaround: close internal resource resolver
Iterator<Resource> resources = result.getResources();
if (resources.hasNext()) {
resources.next().getResourceResolver().close();
}

See töö on litsentseeritud Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported litsentsiga  Süsteemi Creative Commons tingimused ei kehti Twitter™-i ja Facebooki postitustele.

Juriidilised märkused   |   Privaatsuspõhimõtted veebis