Needs an uninstall

[trajano]

When starting this up using a ServletContextListener and terminating the application it says that there are ThreadLocals that are still remaining.

Calling Security.removeProvider doesn't resolve the threadlocal issues

public class InstallCorretto implements ServletContextListener {

    /**
     * Servlet context attribute key.
     */
    public static final String CONTEXT = "useCorretto";

    @Override
    public void contextDestroyed(@NotNull final ServletContextEvent sce) {

        Security.removeProvider(AmazonCorrettoCryptoProvider.PROVIDER_NAME);
        sce.getServletContext().removeAttribute(CONTEXT);

    }

    @Override
    public void contextInitialized(@NotNull final ServletContextEvent sce) {

        AmazonCorrettoCryptoProvider.install();
        sce.getServletContext().setAttribute(CONTEXT, true);

    }
}

Here's the output when terminating.

[SalusaSecondus]

Our primary recommendation is to install ACCP at the server level rather than within a servlet or webapp. However, we will look into ways to address this.

Do you have any information on how other libraries have addressed this issue?

[trajano]

The best way I can think of is to create a webapp which loads up Cornetto as part of the servlet context
Then tell it to restart and see what is left over.

However, Security.removeProvider(AmazonCorrettoCryptoProvider.PROVIDER_NAME); should be the correct way of doing it.

[SalusaSecondus]

Security.removeProvider() does uninstall the provider from the standard list. However it looks like all use of static ThreadLocals are problems for this use-case. I'll keep investigating, but I'm not certain the best method yet.

[trajano]

I asked SO for some assitance on this https://stackoverflow.com/questions/63623208/how-do-i-determine-if-there-are-any-lingering-threadlocals-or-threads-on-java-wi?noredirect=1#comment112508343_63623208

This answer shows how to remove but I don't recommend you do it. But somehow change it so that it lists them.

https://stackoverflow.com/questions/29269277/how-to-identify-and-remove-threads-threadlocals-initiated-from-our-webapp-in-jav/29641045#29641045

[SalusaSecondus]

I have a few ideas of ways to fix this by eliminating most of my static fields which chain to thread locals (and am investigating them). However, instantiating cryptographic providers of any time (not just ACCP) can be computationally expensive. You really should try to install it once at the server level and leave it installed and alone.

[trajano]

Yup I already have done that. It was more for the uncerntainty before (Edited by SalusaSecondus to remove weird formatting and HTML from email response)

[robin-aws]

Note I'm labelling this as "enhancement" given our recommendation against use cases that require uninstallation. It still may be better to use ThreadLocals in a friendlier way, but sounds like more investigation is still needed.