As for the memory/accumulation issue I raise, in
AuthenticationService.authenticate, I see that tokenSessionMap is populated
with information for each session.   However, it's not clear when those are
removed from the map.  I think I deduce from a rest API call
(Administration?) And there's another case upon an unclear exception but
there's limits to how IntelliJ will let me traceback and reverse engineer

A couple of things, here:
- There is code during the "logout" process that tears down the session (look at the DELETE method on the api/tokens endpoint).
- In your custom authentication module, there's a shutdown() method that you could use to clean up anything specific to your authentication module.
- If you put Guacamole into DEBUG logging and look at the Tomcat logs (catalina,out or syslog, depending on your configuration) you'll see periodic messages from cleaning up old sessions.
- I believe Tomcat's monitoring/management interface can show you memory utilization for a deployed application, so you can monitor that and make sure it isn't leaking.