We have identified a memory leak in ContextResolverFactory in package core-common. What happens is that resolve can be called with arbitrary media types and thus the cache will be hit with putIfAbsent for every request.
To reproduce we need to use jersey-media-jaxb with a custom ContextResolver for JAXBContext for custom MediaType. eg application/vnd.mydomain+xml. That will cause the request to hit AbstractJaxbProvider:178 which in turn will call resolve in ContextResolverFactory:194. This will eventually hit crMapCache.putIfAbsent(m, cr); on line 228.
If the media type sent from internet is application/vnd.mydomain+xml, this will only put one object into the cache. But if someone has a bug where they use the header content-type: application/vnd.mydomain+xml;boundary=----321231 where the number is a very random number, the crMapCache will cache the same ContextResolver instance for every request.
The solution for us is to intercept the request and change the header so that there are no attributes on the header. Of course this is fine when there is a multipart requests.
We have identified a memory leak in
ContextResolverFactoryin packagecore-common. What happens is thatresolvecan be called with arbitrary media types and thus the cache will be hit with putIfAbsent for every request.To reproduce we need to use
jersey-media-jaxbwith a custom ContextResolver for JAXBContext for custom MediaType. egapplication/vnd.mydomain+xml. That will cause the request to hitAbstractJaxbProvider:178which in turn will call resolve inContextResolverFactory:194. This will eventually hitcrMapCache.putIfAbsent(m, cr);on line 228.If the media type sent from internet is
application/vnd.mydomain+xml, this will only put one object into the cache. But if someone has a bug where they use the headercontent-type: application/vnd.mydomain+xml;boundary=----321231where the number is a very random number, thecrMapCachewill cache the same ContextResolver instance for every request.The solution for us is to intercept the request and change the header so that there are no attributes on the header. Of course this is fine when there is a multipart requests.