When running the PushZ performance test using stateless sessions we see GC thrashing and poor performance. This is at least in part due to a memory leak in com.sun.identity.policy.SubjectEvaluationCache; this cache keeps a record of which subject IDs a given session does and does not match. It is keyed on token ID (which for stateless sessions can be quite large) and is cleared when the relevant session is destroyed. Unfortunately, when using stateless sessions, there is never any notification for sessions timeouts and therefore the cache is not emptied.
Run the PushZ performance test with stateless sessions for an extended period and watch the memory usage grow.
This cache can be disabled:
- Select Configure > Global Services > Policy
- Select the Realm Defaults tab
- Set "Subjects Result Time to Live" to 0
- Select "Save Changes"
com.sun.identity.policy.SubjectEvaluationCache#subjectEvaluationCache should be a Guava Cache rather than a HashMap.