Subject: Memory leak related to permissions


I think I tracked down the reason why these PrincipalForApplicationUser instances won't get garbage collected:

With Basic-Auth as the authentication strategy, each request to the REST endpoint spawns a new HTTP Session, which holds a reference to a collection of PrincipalForApplicationUser instances.

Now when tomcat runs in a mode, where it keeps all the sessions (session persistence mode) these objects cannot be garbage collected.

I'm not a 100% sure but, it seems the described behavior is as it should be and hence a non-issue.

However, I'm currently investigating, whether I got it all wrong, or there is a convenient solution to this, eg. don't create that many HTTP session objects.

Let me know what you think!

Cheers, Andi

On 2019/07/23 07:29:26, Leandro D'Agostino <L.D'[EMAIL PROTECTED]> wrote: