I think I tracked down the reason why these PrincipalForApplicationUser instances won't get garbage collected:
With Basic-Auth as the authentication strategy, each request to the REST endpoint spawns a new HTTP Session, which holds a reference to a collection of PrincipalForApplicationUser instances.
Now when tomcat runs in a mode, where it keeps all the sessions (session persistence mode) these objects cannot be garbage collected.
I'm not a 100% sure but, it seems the described behavior is as it should be and hence a non-issue.
However, I'm currently investigating, whether I got it all wrong, or there is a convenient solution to this, eg. don't create that many HTTP session objects.
Let me know what you think!
On 2019/07/23 07:29:26, Leandro D'Agostino <L.D'[EMAIL PROTECTED]> wrote: