CAS permanently retaining authentication log messages in memory, requiring daily restarts

[Ed R]

Our customer has to restart their CAS server every day, and sometimes multiple times per day, because it constantly uses up memory until there's none left. I did some local testing and profiling with VisualVM and it appears that the authentication log messages are permanently retained in memory.

I'm using CAS 5.2.3 deployed in Tomcat. Logging levels are set to WARN for everything. For my local testing I've configured TGTs to expire after one minute of inactivity and service tickets expire after 5 seconds. After I run my local test, wait a few minutes, and then click the "Perform GC" button in VisualVM to run the garbage collector, it still shows increasing amounts of used memory, with pretty much all of the memory being strings. Examining them, they are mostly authentication log messages. For example:

esi1@SERVICE_TICKET_CREATED@ST-199900-pNLEGxw1equhpUJOnkyLYZYe0f4-HOSTNAME for https://URL@3/6/18 10:36 AM
ST-199900-pNLEGxw1equhpUJOnkyLYZYe0f4-HOSTNAME for https://URL
SERVICE_TICKET_CREATED

Those three lines are repeated N times and use up all of the memory. How do I fix this?

[Man H]

To start with you could render more information. 

see: https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfe6c835-bf1e-4f24-b507-025d7c0e3172%40apereo.org?utm_medium=email&utm_source=footer

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d1d17dbc-8d02-4059-b153-a758801de506%40apereo.org.

[Ed R]

For my local testing I'm on Windows 7 64-bit, running Tomcat 8.5.15. 

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

[Man H]

ok keep on looking

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2d4b0765-13b5-403d-aaf3-bfae2ef401d7%40apereo.org.

[Ed R]

Here is my entire CAS configuration. This does not reflect the real deployment but is what I used for testing.

cas.server.name: https://cas.example.org:8443

cas.server.prefix: https://cas.example.org:8443/cas

##

# CAS Server Context Configuration

#

server.context-path=/cas

server.port=444

server.ssl.key-store=file:C:/tomcat/conf/keystore.jks

server.ssl.key-store-password=REMOVED

server.ssl.key-password=REMOVED

server.tomcat.accesslog.enabled=false

management.context-path=/status

##

# CAS Log4j Configuration

#

logging.config=file:C:/etc/cas/config/log4j2.xml

logging.level.org.apereo.cas=ERROR

cas.log.level=WARN

server.context-parameters.isLog4jAutoInitializationDisabled=true

#Disable default casuser

cas.authn.accept.users=

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldaps://REMOVED

cas.authn.ldap[0].baseDn=OU=TAP,DC=tap,DC=test

cas.authn.ldap[0].userFilter=sAMAccountName={user}

cas.authn.ldap[0].usePasswordPolicy=true

cas.authn.ldap[0].bindDn=CN=ESI7,OU=Service,OU=Users,OU=TAP,DC=tap,DC=test

cas.authn.ldap[0].bindCredential=REMOVED

cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true

cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,givenName,memberOf

cas.authn.ldap[0].trustCertificates=file:C:/etc/cas/config/ldap.cer

cas.adminPagesSecurity.ip=0\.0\.0\.0

cas.adminPagesSecurity.loginUrl=https://REMOVED:444/cas/login

cas.adminPagesSecurity.service=https://REMOVED:444/cas/status

cas.adminPagesSecurity.users=file:C:/etc/cas/config/adminusers.properties

cas.adminPagesSecurity.adminRoles=ROLE_ADMIN

cas.adminPagesSecurity.actuatorEndpointsEnabled=true

cas.serviceRegistry.config.location=file:C:/etc/cas/config

cas.logout.followServiceRedirects=true

# Sessions are terminated if no new tickets are requested in one minute

cas.ticket.tgt.timeToKillInSeconds=60

# Sessions can last a full week if used continuously

cas.ticket.tgt.maxTimeToLiveInSeconds=604800

# Service tickets can only be used once

cas.ticket.st.numberOfUses=1

# Service tickets expire after five seconds if not used

cas.ticket.st.timeToKillInSeconds=5

[Man H]

READ

 https://groups.google.com/a/apereo.org/d/msgid/cas-user/bfe6c835-bf1e-4f24-b507-025d7c0e3172%40apereo.org?utm_medium=email&utm_source=footer

and AFTER that share your conclusions!

2018-03-06 16:29 GMT-03:00 Ed R <cgamepr...@gmail.com>:

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e767e2bd-aa90-45a8-af33-9d1b3b0ee3cd%40apereo.org.

[Ed R]

I read it but still have not been able to find a solution. It's really a ConcurrentHashMap using up all the memory; each of its nodes has a key that is the logging messages I posted above, and a value that is a AuditActionContext. I don't understand why this hash map persists in memory forever.