openwebbeans-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Struberg <>
Subject Re: Memleak when using owb with tomcat 7 and container managed security?
Date Sat, 07 Mar 2015 10:45:44 GMT
Which version of owb are you using? 1.2.x or 1.5.x snapshot?
I might totally rework all our session handling in the current trunk. 
We will ship a release in the next few weeks.


> Am 06.03.2015 um 13:42 schrieb Sebastian Gebhardt <>:
> Hi Mark!
> I added the WebBeansConfigurationListener to the web.xml and also use the openwebbeans-tomcat7
plugin. The tomcat parameter changeSessionIdOnAuthentication is not explicitly changed, so
the default value true should be active.
> My starting point was a heap dump resulting from an OutOfMemoryError of the application.
Inspecting the dump, I noticed the sessionContexts Map of the SessionContextManager. The map
was about 2,5 GB.
> During my debugging sessions I detected two WebBeansConfigurationListener.sessionCreated()
> calls for a login. The second call only creates a copy of the first one (attributes are
the same of the first session).  But I never expected a WebBeansConfigurationListener.sessionDestroyed()
call for the first session.
> Thanks
> Am 06.03.2015 um 13:19 schrieb Mark Struberg:
>> Hi Sebastian!
>> I think it should all work out of the box. How did you setup OWB in tomcat?
>> Are you using the webbeans-tomcat7 + context.xml or are you simply adding the WebBeansConfigurationListener
in your web.xml?
>> In any case, please debug into WebBeansConfigurationListener#sessionDestroyed().
>> (You can also debug into sessionCreated() to be sure the listener is properly registered).
>> This is a standard HttpSessionListener and must get invoked by the container.
>> What tomcat feature do you use to force a new sessionId? changeSessionIdOnAuthentication
>> Maybe we need to add support for those or provide a better mapping.
>> If you give me a few hints how your application looks like in regards to session
handling then I’ll investigate it.
>> We are short before a release anyway.
>> LieGrue,
>> strub
>>> Am 06.03.2015 um 12:54 schrieb Sebastian Gebhardt <>:
>>> Hello!
>>> My application uses owb and runs in a tomcat 7. The user are authenticated by
the container.
>>> During the authentication the session id changes (to prevent session fixation
attacks). This leads to a second call to SessionContextManager.addNewSessionContext(). But
the SessionContext created in the first call is never destroyed/removed. So the SessionContextManager's
map of session contexts grows. Finally this leads to an OutOfMemoryException.
>>> Is there something I have misconfigured?
>>> Thanks!
> -- 
> Sebastian Gebhardt
> Email:
> PGP-Public Key:

View raw message