Spring-security: High traffic leads to very high CPU usage with spring security 5.0.0.RELEASE
Summary
Moderate to high traffic leads to very high CPU usage with Spring Security version 5.0.0.RELEASE.
After trying things out and looking into the changelist of 5.0.0.RELEASE I found out that the new default password encryption logic is the reason for the high CPU usage.
When I use NoOpPasswordEncryption (old default) the CPU usage is normal, while using PasswordEncoderFactories.createDelegatingPasswordEncoder() produces very high CPU usage again.
Which is obvious though but should somehow be fixed.
This is basically just a default spring boot 2.0.0.M7 application with basic authentication (user:test) and 1 request mapping.
When I send ~7000 requests per 30 sek. I observed very high cpu usage of around 140% of the machines it is running on. (10 instances parralel)
After downgrading to the last spring security release 4.2.3.RELEASE the cpu usage drops drastically by ~120%
I have tested this with tomcat 8 and tomcat 8.5 as packaged war deployments.
The requests are all authorized with basic auth
Actual Behavior
High CPU usage due to high traffic
Expected Behavior
Normal CPU usage allthough high traffic
Configuration
Version
5.0.0.RELEASE
Sample
jan-schumacher
>All comments
Thank you for the report.
Because adaptive one-way functions are intentionally resource intensive, validating a username and password for every request will degrade performance of an application significantly. There is nothing Spring Security (or any other library) can do to speed up the validation of the password since security is gained by making the validation resource intensive. Users are encouraged to exchange the long term credentials (i.e. username and password) for a short term credential (i.e. session, OAuth Token, etc). The short term credential can be validated quickly without any loss in security.
I have updated the documentation to include the information above. Thanks again for the report!
rwinch
on 12 Jan 2018
Related issues
silentsnooc
路
3Comments
berniegp
路
3Comments
unlimitedsola
路
4Comments
mraible
路
3Comments
heruan
路
3Comments
Most helpful comment
Thank you for the report.
Because adaptive one-way functions are intentionally resource intensive, validating a username and password for every request will degrade performance of an application significantly. There is nothing Spring Security (or any other library) can do to speed up the validation of the password since security is gained by making the validation resource intensive. Users are encouraged to exchange the long term credentials (i.e. username and password) for a short term credential (i.e. session, OAuth Token, etc). The short term credential can be validated quickly without any loss in security.
I have updated the documentation to include the information above. Thanks again for the report!