We have discovered a problem when refreshing our web browser rapidly by holding down F5 within our web applications deployed in JBOSS 3.2.3. with integrated Tomcat.
Both our application and the JMX-CONSOLE seem to be producing an extremely large number of threads (perhaps 10 new threads per second). This may not be surprising as the container will presumably be running multiple instances of the servlet/jsp during a rapid refresh due to the time taken for them to execute.
However once the system has settled only one of the newly generated threads is deallocated and the rest appear to be stuck and many hours later the memory has not been released.
The net effect is a Denial of Service attack loophole.