Without knowing how you measure that 200MB, its impossible to say.
Here is the code for that class:
Besides the link to main JaasSecurityManager (don't know if you include that in your estimate?)
or the rest of the server (the interceptor)
the main things that can grow are the authCache (one per connection) and securityConf (one per destination including temporary destinations).
My best guess for how it could grow would be that you are not closing connections properly?
If you leave a connection unclosed (including in memory ones), the authCache will keep a SecurityInfo for each one
and the temporary destinations will not get removed.
You can see the number of open connections in the DestinationManager MBean, the ClientCount attribute.