in this case private final ConcurrentMap<String, HazelcastHttpSession> sessions = new ConcurrentHashMap(1000)
will grow in the size and will cause memory leak.
The requests with basic auth hit this method (after successful basic authentication):
abstract class AbstractSessionFixationProtectionStrategy implements
SessionAuthenticationStrategy, ApplicationEventPublisherAware {
...
/**
Applies session fixation
@param request the {@link HttpServletRequest} to apply session fixation protection
for
@return the new {@link HttpSession} to use. Cannot be null.
*/
abstract HttpSession applySessionFixation(HttpServletRequest request);
...
}
`
The method above is changing the session id, but the Hazelcast doesn’t know about it.
Hazelcast trying to remove the session based on the old session id, cannot find the session and that's why the session is not removing and memory leak occurs.
Faced with the problem that sessions map is not cleaning completely when sessions expire. Looks like issue is not resolved completely.
In the debug mode I am able to see that original session in the hz session is invalid, but is still present in the sessions ConcurrentHashMap:
((Session)((HazelcastHttpSession)((java.util.concurrent.ConcurrentHashMap.MapEntry)sessions.entrySet().toArray()[0]).getValue()).originalSession)._state == INVALIDin this case
private final ConcurrentMap<String, HazelcastHttpSession> sessions = new ConcurrentHashMap(1000) will grow in the size and will cause memory leak.
The requests with basic auth hit this method (after successful basic authentication):
` package org.springframework.security.web.authentication.session;
abstract class AbstractSessionFixationProtectionStrategy implements SessionAuthenticationStrategy, ApplicationEventPublisherAware { ... /**
Conf: <hazelcastVersion 3.8.3 /hazelcastVersion> <springVersion 4.3.7.RELEASE springVersion> <springSecurityVersion 4.2.3.RELEASE springSecurityVersion>