Description
Describe the bug
Default configuration of InMemoryOidcSessionRegistry causes memory leak in cloud environments using external session storage systems such as org.springframework.session:spring-session-data-redis.
This default caused JVM OOMs in our production system for multiple days until we boiled it down using heap dumps from production containers.
This was introduced with spring security 6.2 or might happen if you update from spring boot starter 3.1.6 to 3.2.x while using spring session with an external storage.
To Reproduce
- Use Spring Security >= 6.2, Spring Data Session Redis or a spring boot starter app with version >= 3.2
Excerpt from the build.gradleid 'org.springframework.boot' version '3.2.2' // [...] implementation 'org.springframework.boot:spring-boot-starter-web' implementation 'org.springframework.boot:spring-boot-starter-oauth2-client' implementation 'org.springframework.boot:spring-boot-starter-actuator' implementation 'org.springframework.boot:spring-boot-starter-data-redis' implementation 'org.springframework.session:spring-session-data-redis' implementation 'redis.clients:jedis:5.1.0' implementation 'io.lettuce:lettuce-core:6.3.1.RELEASE'
- Configure app to use redis as a leading session storage system.
- Set break points in the InMemoryOidcSessionRegistry.saveSessionInformation
- Create multiple sessions with different users
- The Number of objects in the ConcurrentHashMap will increase constantly.
Expected behavior
This might be a communication issue in the documentation of the change logs.
Setting the default to InMemoryOidcSessionRegistry is a breaking change for applications that are running in a cloud environment with non-sticky sessions.
I would either recommend removing the default or clearly communicating this as a breaking change in the behavior of spring security.
This change requires configuration changes to stay functional.
Related Documentation
- https://docs.spring.io/spring-security/reference/reactive/oauth2/login/logout.html#_customizing_the_oidc_provider_session_strategy
- there is no such an interface called
OidcSessionStrategy. - There is only
SessionAuthenticationStrategywhich is doing something else. - I think
OidcSessionRegistryis meant here.
- there is no such an interface called
- https://docs.spring.io/spring-session/reference/http-session.html#httpsession-redis
Our mitigation
We would mitigate this issue by providing a custom OidcSessionRegistry implementation that does not store the session information in memory.
Spring Data Redis is already configured to store the session information in Redis.
We also implemented a custom back-channel logout endpoint to remove the session information from the Redis store by wiping the http session.
In this particular case, we would use the NoopSpringDataOidcSessionsStrategy to avoid the memory leak until further support for external data storage is added.
public class NoopSpringDataOidcSessionsStrategy implements OidcSessionRegistry {
@Override
public void saveSessionInformation(OidcSessionInformation info) {
}
@Override
public OidcSessionInformation removeSessionInformation(String clientSessionId) {
return null;
}
@Override
public Iterable<OidcSessionInformation> removeSessionInformation(OidcLogoutToken logoutToken) {
return null;
}
} public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.oauth2Login(oauth2Login -> oauth2Login.oidcSessionRegistry(new NoopSpringDataOidcSessionsStrategy()));
}Sample
Creating a sample costs a lot of time and is not feasible for us at the moment.
We are happy to provide a sample if it is required.
Related issues