If the client code calls HttpServletRequest#logout(), it is delegated to getContext().getAuthenticator().logout(this); but AuthenticatorBase#logout(Request) never calls TomcatPrincipal#logout() to free resources. The only spot where this method is called is in StandardSession#expire(boolean). A completely request-based application cannot free the principal without ugly hacks.
Created attachment 34462 [details] Patch calling TomcatPrincipal#logout()
Created attachment 34463 [details] Patch calling TomcatPrincipal#logout()
Thanks for the report and the patch. I applied a slightly modified patch that used Tomcat's standard(ish) style of exception handling. Fixed in: - trunk for 9.0.0.M14 onwards - 8.5.x for 8.5.9 onwards - 8.0.x for 8.0.40 onwards - 7.0.x for 7.0.74 onwards
(In reply to Mark Thomas from comment #3) > Thanks for the report and the patch. I applied a slightly modified patch > that used Tomcat's standard(ish) style of exception handling. Any reason not to keep "catch (Exception e)" because Exception extends Throwable and the ExceptionUtils still can do their work? Anything but Exception indicates some severe VM error.
The reason is java.lang.StackOverflowError and anything similar that may be added / discovered.