Heap memory leak in HashMapBackedSessionMappingStorage
34 views
Skip to first unread message
Krzysztof Ślusarski
Oct 17, 2021, 4:12:15 AM10/17/21
to cas...@apereo.org
The class org.jasig.cas.client.session.HashMapBackedSessionMappingStorage contains 2 maps:
private final Map<String, HttpSession> MANAGED_SESSIONS = new HashMap<String, HttpSession>();
private final Map<String, String> ID_TO_SESSION_KEY_MAPPING = new HashMap<String, String>();
There is a part of CAS client, that listens on server events and clears that storage on session destroy. That code is in org.jasig.cas.client.session.SingleSignOutHttpSessionListener. The problem is that the public API of the javax.servlet.http.HttpServletRequest has a method (from servlet v3.1):
String changeSessionId();
That method doesn't destroy a session, but changes its id. This type of action doesn't affect the maps in the HashMapBackedSessionMappingStorage. It causes memory leak, because session with changed id cannot be removed from the storage. Changing session id is the default of Spring implementation of session fixation, so the problem may be popular in the future. The default is implemented in org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy and is created as default in org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer#createDefaultSessionFixationProtectionStrategy.
Possible fix: implement listener that implements javax.servlet.http.HttpSessionIdListener that manipulates the maps in HashMapBackedSessionMappingStorage. I've implemented this, but I cannot push my branch into https://github.com/apereo/java-cas-client:
ERROR: Permission to apereo/java-cas-client.git denied to krzysztofslusarski.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Can I get right to perform push and do a pull request?
Best regards,
Krzysztof Ślusarski
Dmitriy Kopylenko
Oct 17, 2021, 6:07:23 AM10/17/21
to Krzysztof Ślusarski, cas...@apereo.org
Hi.
You should be able to fork this repository on GitHub to your account, push changes there and create pull requests from your remote fork.
Hope this helps.
D.
--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CACjVSqEk5sTLLFhVXL8K7%3Dkb-cYJnnWYv%3D%2B5j6Q6U01yFS4msg%40mail.gmail.com.
Krzysztof Ślusarski
Oct 17, 2021, 7:17:17 AM10/17/21
to Dmitriy Kopylenko, cas...@apereo.org
Yes, it worked. Thank you. I've created the PR with my fix proposition.
Reply all
Reply to author
Forward
0 new messages