DataSourceRealm.java declares two StringBuffers fields, preparedRoles and preparedCredentials, that hold the SQL to be used. After these fields are assigned they do not change but to use them StringBuffer.toString() must be called. The toString method is synchronized and creates a new String instance each time it's called. The simple fix is to change those fields to Strings and update the start() method, and remove the toString() calls in credentials(...) and roles(...) methods. A better, more intrusive, fix is to take advantage of PreparedStatements like JDBCRealm does.
Trivial, as you noted ;) I did the simple optimization you suggested above, not the more intrusive one. If you really think there's good value in doing the more intrusive one, please submit a patch that does it and reopen this issue. Thanks ;)