Wednesday, December 24, 2014

OATS: How to Fix Quarter-Crossing Issue for a Benchmark

In [1], we have described how to record a load testing script using OpenScript for CRM Fuse. In the click path, it includes one of the following step:
  • [4] Select_Quarter_3_2013
After setting up a benchmark, we tend to use it for a long time. Step 4 actually causes an issue which we call it "Quarter-Crossing" issue. What happens is that CRM Fuse is live and advance its list by adding current quarter to the list and removing the last entry from the list.

When that happens (i.e., at end of each fiscal quarter), our Oracle Load Testing (OLT) scenario will fail with validation error as:
ERROR [1] Iteration 1 failed at line ( Failed in finding component with xpath=//AdfRichTable[@fullId='atkfr1:0:r22:1:r1:0:pt1:t1']//AdfRichCommandLink[@partialSubmit='true'], no matching pathSegment=/
Basically, ADF internal state[2] will change and the xpath used to retrieve the list item "Quarter 3, 2013" will fail.

In this article, we will discuss how to work around this if it happens.

Quarter Crossing Events

At the end of each quarter, we need to maintain our benchmark CRM Fuse because of the quarter-crossing event. As shown above, "Quarter 3, 2013" is the only list item with seeded data for CRM testing. In other words, "Pinnacle Server Sales per test0000001" will be shown only when "Quarter 3, 2013" is selected. However, at the end of each quarter, the position of it will be shifted down one place on the list. This will cause the validation step in OLT scenario to fail. In addition, "Quarter 3, 2013" eventually will be moved out of the list.

SQL Statements

Whenever scuh events happen, it means you need to recreate OLT scenario by following the steps described in [3]. In addition, you need to update Fusion table (i.e., moo_opty) with new effective date. So, here we show the SQL statements needed for that purpose.

$ORACLE_HOME/bin/sqlplus fusion/fusion

select effective_date from moo_opty where name like 'Pinnacle Server Sales Test%';


As shown above, "Quarter 3, 2013" is associated with an EFFECTIVE_DATE of "03-JUN-13". On a future date, say, "Quarter 3, 2014", "Quarter 3, 2013" may be shifted out of the list and no longer available for selection. That's why you want to update the above moo_opty table in addition to recreate OLT scenario at each quarter-crossing event.

For demonstration, we have updated the above EFFECTIVE_DATE (of type DATE) column with a new value 01-JUN-14:

update moo_opty set effective_date = to_date('06/01/2014', 'MM/DD/YYYY') where name like 'Pinnacle Server Sales Test%';

1,000 rows updated.

After the above update, the seed data with "Pinnacle Server Sales per test0000001" will be associated to a new quarter (e.g., Quarter 2, 2014).  But, eventually you may need to update EFFECTIVE_DATE to a later date than 01-JUN-14 if time moves on further.


  1. How to Create Load Testing Scripts Using OpenScript
  2. Oracle Application Development Framework - Oracle ADF
  3. OATS: Tie All Processes Together — from OpenScript to Scenario

OATS: All Things about OLT Sessions

Oracle Load Testing(OLT)[1] is a component of Oracle Application Test Suite (OATS), which can simulate hundreds of virtual users accessing the application simultaneously and measures the effect of the load on application performance.

The results of load tests are grouped by sessions which are stored in Oracle database.  Oracle Load Testing then allows you to create customized post-run reports on the results of your load tests.


After you've run many load tests, eventually you could run into:
ORA-01654: unable to extend index OLT.COUNTERRUN_IDX by 1024 in tablespace USERS
OLT comes with a Session Manager which allows you to manage session data in the database:
  • Edit
    • Displays the Edit Session dialog box for changing the name and description of the session.
  • Delete
    • Deletes the entire selected session data from the database.
  • Delete Virtual User Logs
    • Deletes only the VU log data for the selected sessions. 
The easiest solution to the ORA-01654 is to delete old session data as shown below:

On the other hand, if you are using Oracle EE[2,3] and have enough disk space, all you need to do is:
Use ALTER TABLESPACE ADD DATAFILE statement to add one or more files to the tablespace indicated.

Note that if you are currently using XE, we would recommend you use a dedicated machine for database and use Oracle EE.

Attach to Session

Read [4] for how to set up autopilot.  After setting up the parameters of autopilot, you can run scenarios from the command line.[4]  Assuming you have done that, then you can monitor load test session by attaching to it in OLT.  This enables a tester to share real-time test results and to collaborate with team members during testing.

From menu Session, select Attach.... The current running session as below should be listed.

You can then select how you want to attach to the session:

Monday, December 22, 2014

Java Security Manager: Troubshooting Security

In [1], we have discussed how to fix security violations when Java Security Manager is enabled at WebLogic Server start-up.  In this article, we will look at how to troubleshoot security policy-related issues by using the option.

To troubleshoot security policy-related issues, you can configure Java Security Manager with the level of security-related information to be reported using:  
To find out what the debug option offers, do:
If using JDK 7, you can find more information from [2].  As for JDK 8, we have included the list of debugging options in the Addendum for your convenience.  Note that you need to separate multiple options with a comma.  For example, we will look at the output from the following combination of debug options:,access

policy Option

Setting "policy" option will allow Security Manager to report the details of
Loading and granting permissions with policy file
For example, from the WebLogic Server log file, you can find the following entries:

policy: Adding policy entry: 
policy:   signedBy null
policy:   codeBase file:/home/myusername/wls1221141208/wlserver/server/lib/-
policy:   ("" "" "")
policy: Adding policy entry: 
policy:   signedBy null
policy:   codeBase file:/home/myusername/wls1221141208/wlserver/modules/-
policy:   ("" "" "")

which correspond to grant entries from the weblogic.policy:[5]

grant codeBase "file:/home/myusername/wls1221141208/wlserver/server/lib/-" {

grant codeBase "file:/home/myusername/wls1221141208/wlserver/modules/-" {

Beside of policy loading entries, you could also find other entries (e.g. permission granting entries) such as:

policy:   granting ("java.util.PropertyPermission" "java.version" "read")
policy:   granting ("java.util.PropertyPermission" "java.vendor" "read")

access Option

Enabling access option, allows Security Manager to print all results from the AccessController.checkPermission method.

You can use the following options with the access option:
  • stack: Include stack trace
  • domain: Dump all domains (i.e., protection domain) in context
  • failure:[3] Before throwing exception, dump stack and domain that do not have permission
You can also use the following options with the stack and domain options:
  • permission=<classname>[4]
    • Only dump output if specified permission is being checked 
  • codebase=<URL>
    • This option would be useful when customer desires to trace the permissions impact of only the code in a given code souce, such as jar file.
    • URL is the location of the specified code base. 
      • Note that because the comma (',") is used as multi options separator, if the URL contains comma, the security debugger would not work properly as expected, it is recommended that the URL should not include character comma (','), semicolon (';'), and  space.


$ jdk-hs/bin/java

all           turn on all debugging
access        print all checkPermission results
certpath      PKIX CertPathBuilder and
              CertPathValidator debugging
combiner      SubjectDomainCombiner debugging
              GSS LoginConfigImpl debugging
configfile    JAAS ConfigFile loading
configparser  JAAS ConfigFile parsing
jar           jar verification
logincontext  login context results
jca           JCA engine class debugging
policy        loading and granting
provider      security provider debugging
pkcs11        PKCS11 session manager debugging
              PKCS11 KeyStore debugging
sunpkcs11     SunPKCS11 provider debugging
scl           permissions SecureClassLoader assigns
ts            timestamping

The following can be used with access:

stack         include stack trace
domain        dump all domains in context
failure       before throwing exception, dump stack
              and domain that didn't have permission

The following can be used with stack and domain:

              only dump output if specified permission
              is being checked
              only dump output if specified codebase
              is being checked

The following can be used with provider:

              only dump output for the specified list
              of JCA engines. Supported values:
              Cipher, KeyAgreement, KeyGenerator,
              KeyPairGenerator, KeyStore, Mac,
              MessageDigest, SecureRandom, Signature.


  1. Java Security Manager: access denied (Xml and More)
  2. Troubshooting Security
  3. Debugging Security Policy Issues
  4. Fine granularity diagnosis on security
  5. Java SecurityManager: "" and "java.policy" Files (Xml and More)

Saturday, December 13, 2014

Java Security Manager: access denied

The JVM has security mechanisms built into it that allow you to define restrictions to code through Java security policy files (i.e., java.policy file). The Java Security Manager[1] uses these policies to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to allow or not allow certain runtime operations.

In this article, we will cover how to resolve security violations such as access denied
when you start WebLogic Server with Java Security checking enabled (see [1] for how to enable Java Security Manager).

AccessController is the main security enforcer in Java Security Manager.  It helps decide whether an access to a critical system resource is to be allowed or denied, based on the security policy currently in effect,  For example, an will be thrown when a permission was not granted to read property as below:

Caused by: access denied ("java.util.PropertyPermission" "" "read")
at java.lang.SecurityManager.checkPermission(
at java.lang.SecurityManager.checkPropertyAccess(
at java.lang.System.getProperty(
at java.lang.Boolean.getBoolean(

If the security violations in your application are only a few, you may consider to add an entry like below in the default section of your policy file:

// default permissions granted to all protection domains
grant {
    permission java.util.PropertyPermission "", "read";

"weblogic.policy" and "ojdbc.policy"

When you run applications in WebLogic server, Oracle has provided an OOTB policy file at:
If you specify it in the JVM option:${WL_HOME}/server/lib/weblogic.policy
then the specified policy file will be loaded in addition to all the java policy files (see [1] for details). However,  OOTB weblogic.policy is not intended to cover all deployed applications.  For example, if you use Oracle JDBC Driver in your applications, you may need to add the grant entries specified in ojdbc.policy[2] onto the ones specified in weblogic.policy file.

Grant Entries

If you look at either weblogic.policy or ojdbc.policy file, there are many grant entries. The basic format of a grant entry is the following:[4]

  grant signedBy "signer_names", codeBase "URL",
        principal principal_class_name "principal_name",
        principal principal_class_name "principal_name",
        ... {
      permission permission_class_name "target_name", "action", 
          signedBy "signer_names";
      permission permission_class_name "target_name", "action", 
          signedBy "signer_names";

Each grant entry includes one or more "permission entries" preceded by optional codeBase, signedBy, and principal name/value pairs that specify which code you want to grant the permissions.

Sometimes it will be too much to enumerate all permissions individually.  This is the time for granting permissions by any combination of the following entries:
  • SignedBy
  • Principal
  • CodeBase

Grant Permission by SignedBy

An example of granting permission(s) based on signer is shown below:[3]
keystore "kim.keystore";

// Here is the permission ExampleGame needs.
// It grants code signed by "terry" the
// HighScorePermission, if the
// HighScorePermission was signed by "chris"
grant SignedBy "terry" {
      "ExampleGame", signedBy "chris";
A signedBy value indicates the alias for a certificate stored in the keystore. The public key within that certificate is used to verify the digital signature on the code; you grant the permission(s) to code signed by the private key corresponding to the public key in the keystore entry specified by the alias.

The signedBy value can be a comma-separated list of multiple aliases. An example is "Adam,Eve,Charles", which means "signed by Adam and Eve and Charles"; the relationship is AND, not OR. To be more exact, a statement like "Code signed by Adam" means "Code in a class file contained in a JAR which is signed using the private key corresponding to the public key certificate in the keystore whose entry is aliased by Adam".

Grant Permission by Principal

An example of granting permission(s) based on principal is shown below:
// Grant notification listener actions to standard roles

grant principal "Administrators" {
    permission "*", "addNotificationListener";
    permission "*", "removeNotificationListener";

A principal value specifies a class_name/principal_name pair which must be present within the executing thread's principal set. The principal set is associated with the executing code by way of a Subject.

The principal_class_name may be set to the wildcard value, *, which allows it to match any Principal class. In addition, the principal_name may also be set to the wildcard value, *, allowing it to match any Principal name. When setting the principal_class_name or principal_name to *, do not surround the * with quotes. Also, if you specify a wildcard principal class, you must also specify a wildcard principal name.

Grant Permission by CodeBase

A codeBase value indicates the code source location; you grant the permission(s) to code from that location. An example of granting permission by CodeBase is shown below:
// Grant for internal applications when using WebLogic startup scripts
grant codeBase "file:${user.dir}/servers/${weblogic.Name}/tmp/_WL_internal/-" {

BNF Grammar

An informal BNF grammer for the Policy file format is given below, where non-capitalized terms are terminals:[12]

PolicyFile -> PolicyEntry | PolicyEntry; PolicyFile
PolicyEntry -> grant {PermissionEntry}; |
           grant SignerEntry {PermissionEntry} |
           grant CodebaseEntry {PermissionEntry} |
           grant PrincipalEntry {PermissionEntry} |
           grant SignerEntry, CodebaseEntry {PermissionEntry} |
           grant CodebaseEntry, SignerEntry {PermissionEntry} |
           grant SignerEntry, PrincipalEntry {PermissionEntry} |
           grant PrincipalEntry, SignerEntry {PermissionEntry} |
           grant CodebaseEntry, PrincipalEntry {PermissionEntry} |
           grant PrincipalEntry, CodebaseEntry {PermissionEntry} |
           grant SignerEntry, CodebaseEntry, PrincipalEntry {PermissionEntry} |
           grant CodebaseEntry, SignerEntry, PrincipalEntry {PermissionEntry} |
           grant SignerEntry, PrincipalEntry, CodebaseEntry {PermissionEntry} |
           grant CodebaseEntry, PrincipalEntry, SignerEntry {PermissionEntry} |
           grant PrincipalEntry, CodebaseEntry, SignerEntry {PermissionEntry} |
           grant PrincipalEntry, SignerEntry, CodebaseEntry {PermissionEntry} |
           keystore "url"
SignerEntry -> signedby (a comma-separated list of strings)
CodebaseEntry -> codebase (a string representation of a URL)
PrincipalEntry -> OnePrincipal | OnePrincipal, PrincipalEntry
OnePrincipal -> principal [ principal_class_name ] "principal_name" (a principal)
PermissionEntry -> OnePermission | OnePermission PermissionEntry
OnePermission -> permission permission_class_name
                 [ "target_name" ] [, "action_list"]
                 [, SignerEntry];

Some entries in the grammar are optional, If they are omitted, it signifies:

When Omitted
It Means
CodebaseEntry "any code base" (it doesn't matter where the code originates from)
SignerEntry "any signer" (it doesn't matter whether the code is signed or not or by whom)
PrincipalEntry "any principals"

The "target_name"is the name of the permission is aimed.  For, the targets of this class can be specified as:

directory (same as directory/)
directory/* (all files in this directory)
* (all files in the current directory)
directory/- (all files in the file system under this directory)
- (all files in the file system under the current directory)
"<<ALL FILES>>" (all files in the file system)

As an example, you may grant read permission to all files in the file system as below:
permission "<<ALL FILES>>", "read"; 

Finally, a set of actions can be specified together as a comma-separated composite string as below:
permission "WEBLOGIC-APPLICATION-ROOT${/}-", "read, write, delete, execute";


Sunday, December 7, 2014

Linux: How to Load Balance with DNS Round Robin

If you are running multiple application server instances, you will need to use something to balance the HTTP traffic from the network. For example, you can use a DNS server or a hardware load balancer (e.g. F5) to load balance HTTP traffic.

In this article, we will cover how to configure a DNS server to round-robin network traffic across all application servers.

Load Balancing with DNS Round Robin

Domain Name Service (DNS) is an Internet service that map human-memorable domain names and hostnames into the corresponding numeric Internet Protocol (IP) addresses which are used to identify and locate computer systems and resources on the Internet. In this way, DNS alleviates the need to remember IP addresses. Computers that run DNS are called name servers. Both Red Hat and Ubuntu ship with BIND (Berkley Internet Naming Daemon),[12] the most widely deployed DNS server.

Using a DNS server, even with one application server, makes it very easy if you need to change to different machines — you just need to update the IP address on the DNS server instead of on every other machine.

Load balancing allows organizations to distribute inbound traffic across multiple back-end nodes or servers (represented as the IP address of a physical server). Round robin is a local balancing mechanism used by DNS servers to share and distribute network resource loads. Compared to hardware load balancer, DNS round robin is a poor man’s load balancing solution.[1]

Configuring Name Servers

Managing BIND's named daemon is easy to do, but the procedure differs between Linux distributions. Here are some things to keep in mind:
  • Firstly, different Linux distributions use different daemon management systems. Each system has its own set of commands to do similar operations.
  • Secondly, the daemon name needs to be known. In this case the name of the daemon is named.
Armed with this information you can know how to:
  • Start your daemons automatically on booting
  • Stop, start and restart them later on during troubleshooting or when a configuration file change needs to be applied.
For more details, read [11] and [12]. The Linux release used in this article is:

$ cat /etc/*-release
Enterprise Linux Enterprise Linux Server release 5.4 (Carthage)
Red Hat Enterprise Linux Server release 5.4 (Tikanga)

Assume that your named is up and running—To enable DNS services on the name server, the /etc/host.conf file should look like this:

# Lookup names via /etc/hosts first, then by DNS query
order hosts, bind

Next you need to configure DNS tables for DNS services. If you use the BIND 8.x package with the Red Hat distribution, the configuration of DNS tables can be done in:
  • /etc/named.conf
For example, the /etc/named.config could look like this:

options {
// DNS tables are located in the /var/named directory
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
listen-on { any; };
allow-query { any; };
rrset-order {
order cyclic;

controls {
inet allow {

zone "." {
type forward;
forward first;
forwarders {;

// All our DNS information is stored in /var/named/foobar
zone "" {
type master;
notify no;
file "";

The rrset-order substatement accepts fixed, random and cyclic as arguments. By specifying cyclic as the argument, you can configure the name server to return matching records in cyclic (round robin) order.[7]

The DNS table named /var/named/ translates host names (such as jassut) to IP addresses. could have the contents like this:[8]

; Zone file for
@ IN SOA (
2005061504 ; serial # (today's date + increment)
1S ; refresh
1S ; retry
1S ; expire
1S) ; minumum ttl
; sorted alphnumerically by hostname (first column) then by IP address

nameserver A

jassut A
jasapp1dom1inst1nic1 A
jassut A

jasapp1dom1inst1nic2 A
jassut A

jasapp1dom1inst1nic3 A
jassut A

jasapp1dom1inst1nic4 A

Configuring DNS Clients

There are three main client configuration files associated with DNS:[9]
  • /etc/hosts
  • /etc/nsswitch.conf
  • /etc/resolv.conf
When your computer looks for another computer on a network such as the Internet, it typically looks in two places: /etc/hosts and any DNS servers that you've set up for your network.


The /etc/hosts file keeps a local name database. This file helps in local name resolution if your local DNS server is not functioning. Network adinistrators should manually populate entries in this file. A sample /etc/hosts file is copied below.

$ cat /etc/hosts

# Do not remove the following line, or various programs
# that require network functionality will fail. localhost.localdomain localhost clientserver1


The order of name resolution process is determined by a single line in /etc/nsswitch.conf:

hosts: files dns

In this case, the name resolution process will begin with checking /etc/hosts file, and if the name cannot be resolved, the name resolution will happen with the DNS server.


The /etc/resolv.conf file contains directives with the IP addresses of nameservers available to a host. A sample /etc/resolv.conf file is copied below.

$ cat /etc/resolv.conf
options attempts: 5
options timeout: 15


How to Test?

nslookup is a network administration command-line tool available for many computer operating systems for querying the DNS server(s) to obtain domain name or IP address mapping or for any other specific DNS record.

For example, our sample setup uses four server instances in one WebLogic domain, which listens on four Network Interface Cards.

On the client computer, you can query host name jassut by typing:
$ nslookup jassut






Other commands for debugging DNS besides nslookup are host and dig. Note that ping is not useful for debugging DNS, as it will use whatever is configured in /etc/nsswitch.conf to do the name-lookup. Also, noted that our host (i.e., has multiple network interface controllers (NIC).[16]

DNS Caching

The Internet's Domain Name System (DNS) involves caching on both DNS servers and on the client computers that contact DNS servers. To minimize the load on the actual DNS server, we want to use a local DNS cache. There are two levels of local name caching on DNS clients:
  • OS
    • To enable DNS caching on the client computers, you can install nscd and run it.
      • A daemon that provides a cache for the most common name service requests.
      • To launch the daemon, do:
        • /etc/init.d/nscd start
  • JVM
    • By default, the JVM will cache DNS information.
However, if client-side DNS caching is enabled, it can lessen the effectiveness of the round-robin DNS load balancing. In other words, due to the client-side DNS query caching, your round-robin DNS load balancing is not likely to distribute the load on your remote servers on a per-request basis. It will be more like a per-session basis.

To effectively support DNS round robin, you want to:
  • Disable JVM local caching by setting
    • -Dnetworkaddress.cache.ttl=0
  • Decrease the local DNS cache (i.e., nscd) default time-to-live to the minimum of 1 second (see instructions below).

On Windows, under HKEY_LOCAL_MACHINE\System\CurrentControlSet set Services\Dnscache\Parameters\MaxCacheEntryTtlLimit to 1

For UNIX machines with a name service cache daemon (nscd),[5] ensure that /etc/nscd.conf contains

enable-cache hosts yes
positive-time-to-live hosts 1
negative-time-to-live hosts 0


  1. Configuring DNS round robin on Windows
  2. Load Balancing With Round Robin DNS
  3. port 53
    • Default port listened by DNS
  4. Domain Name Server (DNS) Configuration and Administration
    • BIND 8.x
      • /etc/named.conf file should be configured to point to your DNS tables
    • BIND9 (Berkley Internet Naming Daemon)
      • BIND9 Configuration files are stored in /etc/bind
  5. nscd (Name Service Cache Daemon)The default configuration file, /etc/nscd.conf, determines the behavior of the cache daemon
    • See also: nsswitch.conf - System Databases and Name Service Switch configuration file
  6. The Domain Name System (good)
  7. Round Robin Load Distribution
  8. Zone files (Red Hat Linux 5)
  9. Linux Domain Name System (DNS) client configuration files
  10. Linux / Unix: Dig Command
    • The chief difference between nslookup and dig is that dig has no interactive mode: you specify everything at the command line.
  11. Quick HOWTO : Ch18 : Configuring DNS (good)
  12. Berkeley Internet Name Domain (BIND) (Red Hat Linux 5)
  13. Why 192.168.*.* for local addresses?
  14. Load Balancing T3 InitialContext Retrieval for WebLogic using Oracle Traffic Director
    • For bootstrapping the InitialContext, you can choose two approaches:
      • DNS round robin
      • External load blancer such as OTD
  15. DNS and BIND, 5th edition, by Cricket Liu and Paul Albitz
  16. Multihoming

Monday, December 1, 2014

JDK 8: When Softly Referenced Objects Are Flushed?

There are four different degrees of reference strength in Java language:[1]
  1. Strong
    • StringBuffer strongRef = new StringBuffer();
  2. Soft
    • SoftReference softRef = new SoftReference(obj);
  3. Weak
    • WeakReference weakRef = new WeakReference(widget);
  4. Phantom
    • PhantomReference phantomRef =new PhantomReference(bool,rq);
in order from strongest to weakest.

In this article, we will focus on softly referenced objects and when they will be flushed by Garbage Collector (GC) in HotSpot.

SoftReference vs WeakReference

A soft reference is exactly like a weak reference, except that it is less eager to throw away the object to which it refers. An object which is only weakly reachable (the strongest references to it are WeakReferences) will be discarded at the next garbage collection cycle, but an object which is softly reachable will generally stick around for a while.

SoftReferences aren't required to behave any differently than WeakReferences, but in practice softly reachable objects are generally retained as long as memory is in plentiful supply. This makes them an excellent foundation for a cache since you can let the garbage collector worry about both how reachable the objects are and how badly it needs the memory they are consuming.

When Softly Referenced Objects Are Flushed?

Prior to version 1.3.1, the Java HotSpot VMs cleared soft references whenever it found them. Starting with 1.3.1, softly reachable objects will remain alive for some amount of time after the last time they were referenced. The default value is one second of lifetime per free megabyte in the heap. This value can be adjusted using the -XX:SoftRefLRUPolicyMSPerMB flag, which accepts integer values representing milliseconds. For example, to change the value from one second to 2.5 seconds, use this flag:

When, exactly, is a soft reference freed?  Here are the factors to be considered:
  • First the referent must not be strongly referenced elsewhere
  • If the soft reference is the only remaining reference to its referent, the referent is freed during the next GC cycle only if the time it was last accessed is greater than (AmountOfFreeMemoryInMB * SoftRefLRUPolicyMSPerMB).
    • AmountOfFreeMemoryInMB is calculated differently for server and client VMs:
      • Server VM
        • Uses the maximum possible heap size (as set with the -Xmx option) to calculate free space remaining
          • -Xmx therefore has a significant effect on when soft references are garbage collected.
        • The general tendency is for the Server VM to grow the heap rather than flush soft references
      • Client VM
        • Uses the current heap size to calculate the free space
        • The Client VM will have a greater tendency to flush soft references rather than grow the heap


  • When to use SoftReference?
    • Soft references are used when the object in question has a good chance of being reused in the future,
      • For example, as a cache implementation
        • Soft references are essentially one large, least-recently-used cache
  • Performance consideration
    • The key to getting good performance from that cache is to make sure that it is cleared on a timely basis.
    • Eagerly vs. lazily reclaimation of softly referenced objects
      • You can tune how eagerly they are reclaimed by setting:
        • -XX:SoftRefLRUPolicyMSPerMB flag
          • Default is 1000 ms. Optimal setting depends on the applications and which GC is used.
          • This behavior is not part of the VM specification, however, and is subject to change in future releases. Likewise the -XX:SoftRefLRUPolicyMSPerMB flag is not guaranteed to be present in any given release.


  1. Understanding Weak References (good)
  2. Frequently Asked Questions About the Java HotSpot VM
  3. HotSpot Virtual Machine Garbage Collection Tuning Guide
  4. Garbage-First Garbage Collector Tuning
  5. Other JDK 8 articles on Xml and More
  6. Tuning that was great in old JRockit versions might not be so good anymore
    • Trying to bring over each and every tuning option from a JR configuration to an HS one is probably a bad idea.
    • Even when moving between major versions of the same JVM, we usually recommend going back to the default (just pick a collector and heap size) and then redoing any tuning work from scratch (if even necessary).