Multiple community members have reported a suspected memory leak. One provided a detailed set of Memory Analyzer Tool files, and analysis:

I have been looking at the OpenFire code and there seems to be some inconsistencies handling preAuthenticatedSessions, precisely. See if I can explain:

The map is only put in two places:

• org.jivesoftware.openfire.SessionManager#createClientSession(org.jivesoftware.openfire.Connection, org.jivesoftware.openfire.StreamID, java.util.Locale)

• org.jivesoftware.openfire.SessionManager#createClientHttpSession

Both puts are in terms of session.getAddress().getResource().

But after authentication, org.jivesoftware.openfire.session.LocalClientSession#setAuthToken(org.jivesoftware.openfire.auth.AuthToken, java.lang.String) is called, which does setAddress() of a new address, post authentication.

At this point, the preAuthenticatedSessions map contains an entry for a resource that comes from an address that has just been changed, and lost track.

Subsequent operations in the map using the resource of this new set address will then fail.

Also, the remove operation done on preAuthenticatedSessions in org.jivesoftware.openfire.SessionManager#addSession is using the stream id as the key. But the map is never put anything using the stream id as key, only the resource.

I think this then leads (and explains) to entries never being deleted from preAuthenticatedSessions.