I've found the problem and it's a session leak. A session is created every HTTP request (actually don't know who is doing that)and never invalidated. I've also checked the default settings and I've found no session timeout conf. So it seems that sessions for plugins are never cleaned. As far as they are stateless plugins it would be better to invalidate the session right before the doGet/doPost return.
I've modfiied both Presence and userService plugin and now they're no more reporting memory problems after load tests.
