Spring RefreshableKeycloakSecurityContext 内存泄漏

Question

我正在 Spring Boot 2.0.3 中开发应用程序。当大量带有令牌的 REST 请求发送到应用程序时，由于 RefreshableKeycloakSecurityContext，应用程序会出现内存泄漏。帖子按钮上的照片描述了它。

keycloak依赖项：

    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-spring-boot-2-starter</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-admin-client</artifactId>
        <version>3.4.0.Final</version>
        <type>jar</type>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-server-spi</artifactId>
        <version>3.4.3.Final</version>
        <type>jar</type>
    </dependency>
    <dependency>
        <groupId>org.keycloak</groupId>
        <artifactId>keycloak-events-api</artifactId>
        <version>1.0.2.Final</version>
        <type>jar</type>
    </dependency>

安全配置：

     public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        try {
            KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
            keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
            auth.authenticationProvider(keycloakAuthenticationProvider);
        }catch(Exception ex){
            log.error(ex);
        }
    }

    @Bean
    public KeycloakSpringBootConfigResolver KeycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) {
        try {
            super.configure(http);
            http
                    .cors()
                    .configurationSource(corsConfigurationSource())
                    .and()
                    .authorizeRequests()
                    .antMatchers("/api/public/**")
                    .permitAll();
                    http.csrf().disable();
        }catch (Exception ex){
            throw new RuntimeException("Problem podczas uprawnien " + ex);
        }

    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("GET","POST","PUT","DELETE", "OPTIONS"));
        configuration.setAllowedHeaders(Arrays.asList("Access-Control-Allow-Origin","Origin","Accept,X-Requested-With","Content-Type","Access-Control-Request-Method","Access-Control-Request-Headers","Authorization"));
        configuration.setMaxAge((long)1);
        configuration.setAllowCredentials(true);

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

}

内存泄漏图片

有人可以帮助如何解决这个问题吗？

Answer 1

问题出在 SecurityConfig 类中。你用：

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new 
             RegisterSessionAuthenticationStrategy(newSessionRegistryImpl());
}

在这个类中你可以看到：

public class RegisterSessionAuthenticationStrategy implements SessionAuthenticationStrategy {
private final SessionRegistry sessionRegistry;

public RegisterSessionAuthenticationStrategy(SessionRegistry sessionRegistry) {
    Assert.notNull(sessionRegistry, "The sessionRegistry cannot be null");
    this.sessionRegistry = sessionRegistry;
}

public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
    this.sessionRegistry.registerNewSession(request.getSession().getId(), authentication.getPrincipal());
}

}

代码：

public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) {
    this.sessionRegistry.registerNewSession(request.getSession().getId(), authentication.getPrincipal());
}

导致你的问题。你所有的休息都会创造出被春天铭记的会话。为了避免这种情况，您应该使用：

@Bean
@Override
protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
    return new NullAuthenticatedSessionStrategy();
}

将 SecurityConfig 类中的 RegisterSessionAuthenticationStrategy 替换为 NullAuthenticatedSessionStrategy。

执行此操作后，您的应用程序将不再记住该会话。（检查前后的内存转储）。

更多信息在这里：https://github.com/dynamind/grails3-spring-security-keycloak-minimal/blob/master/README.md

Answer 2

我从未使用过 Keycloak，尽管您没有直接实例化 RefreshableKeycloakSecurityContext，但也许您使用 new() 连续分配的任何类（例如 KeycloakSpringBootConfigResolver）每次都会实例化它。

在这种情况下，如果您不清除指向该对象的所有引用，它们将不会被垃圾收集......并且您将出现内存泄漏。

您是否已经尝试过内存分析工具？让我向您推荐 Eclipse MAT，您应该能够获取应用程序的堆转储并生成内存泄漏报告。您还可以检查支配树以查看谁保留了对泄漏内存的引用。

https://eclipsesource.com/blogs/2013/01/21/10-tips-for-using-the-eclipse-memory-analyzer/