I found a memory leak in my web-application, and I think it’s related to spring-security and/or spring-remoting.
The web application is composed by a front-end tier (SpringMVC) that communicates with a service tier via spring-remoting. The service provides an authentication service (a spring authentication-provider facade) and a service facade. To access to the service facade we use an AuthenticationSimpleHttpInvokerRequestExecutor, although it does not require authentication for the moment.
What I first spotted is that, after undeploying the application, a ServletContextImpl instance is kept in a ThreadLocal variable.
Although I found the issue SEC-1578 in spring-security-3.0.3-RELEASE regarding a SecurityContextImpl instance that was removed with a ThreadLocal.set(null) instead of ThreadLocal.remove() . But even after upgrading to spring-security-3.0.5-RELEASE, the variable was there.
I removed completely the spring-security configuration from my main application and the memory leak was gone. So I seeked the cause by restoring incrementally the different components in these steps:
- setting only the maven dependency (no configuration at all)
- setting up the simplest possible client side configuration (not using the remote service to authenticate)
- using the SimpleHttpInvokerRequestExecutor in place of the AuthenticationSimpleHttpInvokerRequestExecutor (as the service does not actually enforce security). This gave me a memory leak due to a “Keep-Alive-Timer” thread not being released
- finally I set up the AuthenticationSimpleHttpInvokerRequestExecutor and I got the SecurityContextImpl not being released
Sure enough that I found the configuration to recreate the problem I started writing a minimal application to submit the case to the Spring Community, but unfortunately it only suffers for the “Keep-Alive” thread being held, no matter wich “HttpInvoker” I was using.
I hope this is enough information to start look for the reason why the SecurityContextImpl is being held. Or you can give me a hint about how to fix it.
The application I wrote is available at https://github.com/xan/SpringRemotingLeak