We have implement Spring security for PreAuthentication (siteminder). We are seeing following error logged when we stop tomcat server. I'm not sure what are we doing wrong.
SEVERE: The web application [/xyz] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@1cad3a6]) and a value of type [org..security.web.context.fromSessi onSecurityContextRepository.SaveToSessionResponseW rapper] (value [org..security.web.context.fromSessi onSecurityContextRepository$SaveToSessionResponseW rapper@10d4170]) but failed to remove it when the web application was stopped. This is very likely to create a memory leak.
SEVERE: The web application [/xyz] created a ThreadLocal with key of type [java.lang.ThreadLocal] (value [java.lang.ThreadLocal@14355f1]) and a value of type [org..security.web.servletapi.Securi tyContextHolderAwareRequestWrapper] (value [org..security.web.servletapi.Securi tyContextHolderAwareRequestWrapper@1bf7527]) but failed to remove it when the web application was stopped. This is very likely to create a memory leak.following are setting on my side
web.xml
lt;filtergt;
lt;filter-namegt;springSecurityFilterChainlt;/filter-namegt;
lt;filter-classgt;org..web.filter.DelegatingFil terProxylt;/filter-classgt;
lt;/filtergt;
lt;filter-mappinggt;
lt;filter-namegt;springSecurityFilterChainlt;/filter-namegt;
lt;ucl-patterngt;/*lt;/ucl-patterngt;
lt;/filter-mappinggt;
****************************************
security-context.xml
lt;bean id=quot;entryPointquot;
class=quot;org..security.web.authentica tion.from403ForbiddenEntryPointquot; /gt;
lt;sec:from auto-config=quot;truequot; entry-point-ref=quot;entryPointquot;gt;
lt;sec:intercept-ucl pattern=quot;/**quot; access=quot;ROLE_USERquot; /gt;
lt;sec:custom-filter position=quot RE_AUTH_FILTERquot; ref=quot;siteminderFilterquot; /gt;
lt;/sec:fromgt;lt;bean id=quot;siteminderFilterquot;
class=quot;org..security.web.authentica tion.preauth.RequestHeaderAuthenticationFilterquot;gt;
lt;property name=quot;principalRequestHeaderquot; value=quot;SM_USERquot; /gt;
lt;property name=quot;authenticationManagerquot; ref=quot;authenticationManagerquot; /gt;
lt;/beangt;lt;bean id=quot;preauthAuthProviderquot;
class=quot;org..security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide rquot;gt;
lt;property name=quot;preAuthenticatedUserDetailsServicequot; ref=quot;userDetailsServiceWrapperquot; /gt;
lt;/beangt;
lt;sec:authentication-manager alias=quot;authenticationManagerquot;gt;
lt;sec:authentication-provider ref=quot;preauthAuthProviderquot; /gt;
lt;/sec:authentication-managergt;
lt;bean id=quot;userDetailsServiceWrapperquot;
class=quot;org..security.core.userdetai ls.UserDetailsByNameServiceWrapperquot;gt;
lt;property name=quot;userDetailsServicequot; ref=quot;userDetailsServicequot;gt;lt;/propertygt;
lt;/beangt;
lt;bean id=quot;userDetailsServicequot; class=quot;com.xx.xx.xx.auth.CustomUserDetailServiceIm plquot;gt;
lt;property name=quot;cduUsersServicequot; ref=quot;customUsersServicequot;gt;lt;/propertygt;
lt;/beangt;
will appreciate any help.
What version of Tomcat are you using? I know that there were some issues early on with this feature. Do these logs happen when shutting down tomcat or undeploying? Do not quote me on this, but I believe there can be false positives if you shutdown tomcat. I believe that the leak detection is more reliable with stopping the individual application.
If there actually is an issue....
The logs state that the fromServletRequest and the fromServletResponse are being stored in a ThreadLocal and not removing it after each request. Spring Security does use a ThreadLocal to store the SecurityContext. This is cleaned up using the SecurityContextPersistenceFilter (which your configuration has in it). However, Spring Security does not store the fromServletRequest or fromServletResponse which is what your error message is displaying.
It is likely that some other framework you have is storing the request/response in a ThreadLocal. It is quite possible that the leak is only picked up when you add Spring Security because it isn't until then the object stored in the ThreadLocal is an object loaded by your web application's class loader. This is similar how Tomcat will pick up the leak for Webapp class instance as ThreadLocal value when you stop the application. However, it will not detect the leak for Webapp class instance indirectly held through a ThreadLocal value when you stop the application. To detect this scenario you need to click the find leaks button.
My advice to you is to use a tool like MAT to diagnose where the issue is originating from. You can use this guide to help you figure it out. Please post a follow up on your findings.
If you are unable to diagnose the issue, you can provide a dump of your jvm and I will try and take a look at it. A few important things when obtaining the dump are: you need to start up tomcat with nothing deployed to it, install your application, use the application some, uninstall your application, install it again, use it a bit longer, and then obtain the dump.
Thanks for the response. I'll do some analysis as suggested and post the results soon.
On some of you questions .
Tomcat version is 6.0.29.
Error is logged on stopping the application instance.
Other framework is GWT client/server(RPC) (not sure if that will be an issue).Thanks again for you guidance.
We found the root cause of the issue. There is another process in the application was not releasing the request/response from the ThreadLocal.
We fixed the bug and resolved the issue.
Thanks a lot for you help. |
Post at 2011-4-15 14:34
| This Author's Posts Only
