OutOfMemory in SessionRegistryImpl (Spring Security Adapter Config)

Oli411 · January 15, 2021, 9:00am

Hi,
I configured the SessionAuthenticationStrategy (Spring Security Adapter) as stated in the official documentation: Securing Applications and Services Guide
After creating a test with a lot of new sessions I encountered an OutOfMemory-Exception because the registered sessions are not cleared out of the ConcurrentHashMap used in SessionRegistryImpl. In debug mode I noticed that the SessionDestroyedEvents were not received in the SessionRegistryImpl even though the ServletListenerRegistrationBean has been defined.

After that I tried to define the SessionRegistryImpl as a separate bean, with the result that the SessionDestroyedEvents were successfully received in SessionRegistryImpl and the registered sessions were destroyed:

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new RegisterSessionAuthenticationStrategy(buildSessionRegistry());
}

@Bean
protected SessionRegistry buildSessionRegistry() {
    return new SessionRegistryImpl();
}

Is that a known behaviour? Maybe the documentation must be edited in this point.
Thanks and greetings.

tarikcurto · January 12, 2023, 7:06pm

Same issue here.

Implementation code:

public class WebSecurityConfiguration extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);

        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.NEVER);

        http
                .authorizeRequests()
                .antMatchers("/api/**")
                .authenticated()
                .anyRequest()
                .permitAll();

        http.csrf().disable(); // If enabled, post request doesntt work.

        http.cors();
    }
}

tarikcurto · January 12, 2023, 7:10pm

I could fixed using NullAuthenticatedSessionStrategy.

In a more deeper analysis i see that SessionRegistryImpl never receive SessionDestroyedEvent.

Also tried to limit the session life time on the YAML config:

spring:
  session:
    timeout: 15s

Topic		Replies	Views
Spring security - logout from Keycloak not propagated Securing applications	1	1396	August 4, 2020
Spring Security Keycloak Adapter cannot handle single sign-out when logout from another tab in browser Securing applications authentication , oidc	4	6972	February 12, 2020
Optimizing User Sessions in Keycloak: Memory Management, Persistence, and Best Practices in Kubernetes authentication , oidc	0	259	January 10, 2024
Javascript Adapter Logout multiple tabs issue Securing applications adapter-javascript	0	1535	March 6, 2021
Ocassionally getting exception Securing applications	3	861	May 8, 2023

OutOfMemory in SessionRegistryImpl (Spring Security Adapter Config)

Related Topics