From 92cd7daa024cdd79951e407b2d7750878308714b Mon Sep 17 00:00:00 2001
From: Omur Sahin <omur@erciyes.edu.tr>
Date: Sat, 17 Jan 2026 20:18:22 +0300
Subject: [PATCH 1/2] connection leak

---
 .../core/problem/httpws/auth/AuthUtils.kt     | 39 +++++++++++--------
 1 file changed, 22 insertions(+), 17 deletions(-)

diff --git a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
index 2329252381..37b738dd68 100644
--- a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
+++ b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
@@ -175,25 +175,30 @@ object AuthUtils {
         }
 
         if (response.statusInfo.family != Response.Status.Family.SUCCESSFUL) {
-
-            /*
-                if it is a 3xx, we need to look at Location header to determine
-                if a success or failure.
-                TODO: could explicitly ask for this info in the auth DTO.
-                However, as 3xx makes little sense in a REST API, maybe not so
-                important right now, although had this issue with some APIs using
-                default settings in Spring Security
-            */
-            if (response.statusInfo.family == Response.Status.Family.REDIRECTION) {
-                val location = response.getHeaderString("location")
-                if (location != null && (location.contains("error", true) || location.contains("login", true))) {
-                    log.warn("Login request failed with ${response.status} redirection toward $location")
-                    return null
+            try {
+                /*
+                    if it is a 3xx, we need to look at Location header to determine
+                    if a success or failure.
+                    TODO: could explicitly ask for this info in the auth DTO.
+                    However, as 3xx makes little sense in a REST API, maybe not so
+                    important right now, although had this issue with some APIs using
+                    default settings in Spring Security
+                */
+                if (response.statusInfo.family == Response.Status.Family.REDIRECTION) {
+                    val location = response.getHeaderString("location")
+                    if (location != null && (location.contains("error", true) || location.contains("login", true))) {
+                        log.warn("Login request failed with ${response.status} redirection toward $location")
+                        return null
+                    }
                 }
-            } else {
-                log.warn("Login request failed with status ${response.status}")
-                return null
+                else {
+                    log.warn("Login request failed with status ${response.status}")
+                 }
+            }
+            finally {
+                response.close()
             }
+            return null
         }
 
         return response

From dfcbc27a621c45be80452d09148dce2a6e7ac9fe Mon Sep 17 00:00:00 2001
From: Omur Sahin <omur@erciyes.edu.tr>
Date: Sat, 17 Jan 2026 23:19:53 +0300
Subject: [PATCH 2/2] fix

---
 .../core/problem/httpws/auth/AuthUtils.kt     | 39 +++++++++----------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
index 37b738dd68..9ab65c621e 100644
--- a/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
+++ b/core/src/main/kotlin/org/evomaster/core/problem/httpws/auth/AuthUtils.kt
@@ -175,30 +175,27 @@ object AuthUtils {
         }
 
         if (response.statusInfo.family != Response.Status.Family.SUCCESSFUL) {
-            try {
-                /*
-                    if it is a 3xx, we need to look at Location header to determine
-                    if a success or failure.
-                    TODO: could explicitly ask for this info in the auth DTO.
-                    However, as 3xx makes little sense in a REST API, maybe not so
-                    important right now, although had this issue with some APIs using
-                    default settings in Spring Security
-                */
-                if (response.statusInfo.family == Response.Status.Family.REDIRECTION) {
-                    val location = response.getHeaderString("location")
-                    if (location != null && (location.contains("error", true) || location.contains("login", true))) {
-                        log.warn("Login request failed with ${response.status} redirection toward $location")
-                        return null
-                    }
+
+            /*
+                if it is a 3xx, we need to look at Location header to determine
+                if a success or failure.
+                TODO: could explicitly ask for this info in the auth DTO.
+                However, as 3xx makes little sense in a REST API, maybe not so
+                important right now, although had this issue with some APIs using
+                default settings in Spring Security
+            */
+            if (response.statusInfo.family == Response.Status.Family.REDIRECTION) {
+                val location = response.getHeaderString("location")
+                if (location != null && (location.contains("error", true) || location.contains("login", true))) {
+                    log.warn("Login request failed with ${response.status} redirection toward $location")
+                    response.close()
+                    return null
                 }
-                else {
-                    log.warn("Login request failed with status ${response.status}")
-                 }
-            }
-            finally {
+            } else {
+                log.warn("Login request failed with status ${response.status}")
                 response.close()
+                return null
             }
-            return null
         }
 
         return response