HADOOP-11837. AuthenticationFilter should destroy SignerSecretProvider in Tomcat deployments. Contributed by Bowen Zhang.

hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java

@@ -187,6 +187,7 @@ public class AuthenticationFilter implements Filter {
   private long validity;
   private String cookieDomain;
   private String cookiePath;
+  private boolean isInitializedByTomcat;
 
   /**
    * <p>Initializes the authentication filter and signer secret provider.</p>
@@ -252,6 +253,7 @@ public class AuthenticationFilter implements Filter {
         secretProvider = constructSecretProvider(
             filterConfig.getServletContext(),
             config, false);
+        isInitializedByTomcat = true;
       } catch (Exception ex) {
         throw new ServletException(ex);
       }
@@ -380,6 +382,10 @@ public class AuthenticationFilter implements Filter {
       authHandler.destroy();
       authHandler = null;
     }
+    if (secretProvider != null && isInitializedByTomcat) {
+      secretProvider.destroy();
+      secretProvider = null;
+    }
   }
 
   /**

hadoop-common-project/hadoop-common/CHANGES.txt

@@ -745,6 +745,9 @@ Release 2.7.0 - UNRELEASED
     HADOOP-11815. HttpServer2 should destroy SignerSecretProvider when it
     stops. (Rohith via wheat9)
 
+    HADOOP-11837. AuthenticationFilter should destroy SignerSecretProvider in
+    Tomcat deployments. (Bowen Zhang via wheat9)
+
 Release 2.6.1 - UNRELEASED
 
   INCOMPATIBLE CHANGES