Skip to content

CachingOperationInvoker cache can consume a significant amount of heap space #28313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
andywhite27 opened this issue Oct 13, 2021 · 2 comments
Closed

CachingOperationInvoker cache can consume a significant amount of heap space #28313

andywhite27 opened this issue Oct 13, 2021 · 2 comments
Assignees
@philwebb
Labels
type: bug A general bug
Milestone
2.4.12

Comments

@andywhite27
Copy link

Java 11
SpringBoot 2.5.4

Hi,

We have had a service using significant amounts of heap space. We have managed to get a heap dump and it looks like the map in CachingOperationInvoker is enormous. We are using spring security to secure the endpoints in the service but the health endpoint does not require authentication.

The spring security configuration,

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class JwtWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

  @Autowired private JwtAuthenticationConverter jwtAuthenticationConverter;

  @Override
  protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests(authorize -> authorize.antMatchers("/v*/**").authenticated())
        .authorizeRequests(authorize -> authorize.anyRequest().permitAll())
        .csrf()
        .disable()
        .oauth2ResourceServer()
        .jwt(jwtConfigurer -> jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverter));
  }
}

Where JwtAuthenticationConverter is defined in another @configuration class and uses the JwtGrantedAuthoritiesConverter to set the prefix and location of the claims in the jwt

  @Bean
  public JwtAuthenticationConverter getJwtAuthenticationConverter() {
    JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter =
        new JwtGrantedAuthoritiesConverter();
    jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(ROLES_CLAIM_NAME);
    jwtGrantedAuthoritiesConverter.setAuthorityPrefix(ROLE_PREFIX);
    JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
    jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);

    return jwtAuthenticationConverter;
  }

When a non-authenticated user calls the health endpoint the cache in the CachingOperationInvoker is used correctly because the principal is null. However, if a user calls the health endpoint and provides a jwt the Principal is not null and there is a cache miss. In this case the Principal is a org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken and every time the user refreshes their token the hash of the JwtAuthenticationToken is different which means that the CacheKey hash is different hence the cache miss. In our situation this results in the CachingOperationInvoker.cachedResponses growing and growing with each authenticated request.

Honestly I don't know if this is genuinely a memory leak / issue or is caused by us doing something stupid through our configuration. I'd love to know your thoughts and to get some advice please.

Thanks,

Andy
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 13, 2021
@snicoll snicoll added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 14, 2021
@snicoll snicoll added this to the 2.4.x milestone Oct 14, 2021
@snicoll
Copy link
Member

snicoll commented Oct 14, 2021

Thanks for the report. It looks to me that, at the very least, we should have some sort of automatic expiration of cache entries.

@andywhite27
Copy link
Author

Thanks @snicoll

@philwebb philwebb self-assigned this Oct 14, 2021
@philwebb philwebb changed the title CachingOperationInvoker cache growing with each authenticated request CachingOperationInvoker cache can consume a significant amount of heap space Oct 14, 2021
@philwebb philwebb mentioned this issue Oct 14, 2021
Closed
@philwebb philwebb modified the milestones: 2.4.x, 2.4.12 Oct 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
type: bug A general bug
Projects
None yet
Milestone
2.4.12
Development

No branches or pull requests
4 participants
@snicoll @philwebb @andywhite27 @spring-projects-issues