Spring BasicAuthenticationFilter.doFilter() very slow

Question

In my Spring Boot 2.0.5 App I'm using basic-auth to secure REST-API's.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
   @Override
   protected void configure(final HttpSecurity http) throws Exception {
       http.authorizeRequests().antMatchers("/api/**").authenticated().and()
       .httpBasic().and().csrf().disable();
   }
   @Bean
   public InMemoryUserDetailsManager inMemoryUserDetailsManager() {
    final InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
    manager.createUser("user").password("pwd").roles("roles").build()));
    return manager;
    }
}

One of these API's is used by a Feign client (another Spring Boot App) with Feigns BasicAuthRequestInterceptor.

NewRelic reports for every Webservice request that Spring's BasicAuthenticationFilter.doFilter() uses up to 10 seconds (!).

That is a massive overhead. What is wrong here and what can I do to speed things up?

Hi @Saimonsez - I am also facing the same issue. Is there any fix? — Vibhor Bhardwaj, Nov 21 '19 at 06:08

score 1 · Answer 1 · answered Nov 22 '19 at 10:40

I was also facing the same issue. My TPS was 40 for 150 simultaneous threads. We analyzed the issue and found that the issue is with the Bcrypt encoding algorithm. Change the strength to a lower value. Like below.

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder(4);
}

The default strength of BCryptPasswordEncoder is 10. Reduce it to 4. Also update the passwords in password store.

Also, if you are using HikariCP, please follow this link to fine-tune the maximum pool size.

Currently, My TPS is 300+ for 2 core CUP for 300 simultaneous threads

Hope this helps. Thank you.

Spring BasicAuthenticationFilter.doFilter() very slow

1 Answers1