GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Oliver Siegmar (Migrated from SEC-1615) said:
Since Spring Security 3 I notice, that the startup time of my web applications vary greatly on each startup. One of my simple applications sometimes starts in 3 secs, sometimes it takes up to 40 seconds (same non-busy system). I enabled debug logging and noticed the following:
Slow startup (> 30 secs):
2010-11-06 14:46:10,394 INFO org.springframework.security.config.SecurityNamespaceHandler: Spring Security 'config' module version is 3.0.4.RELEASE
2010-11-06 14:46:40,235 INFO org.springframework.security.config.http.HttpSecurityBeanDefinitionParser: Checking sorted filter chain: [REMOVED VERY LARGE CONTENT]
(there are ~ 30 secs between these to log entries)
Fast startup (~ 3 secs):
2010-11-06 15:03:19,737 INFO org.springframework.security.config.SecurityNamespaceHandler: Spring Security 'config' module version is 3.0.4.RELEASE
2010-11-06 15:03:19,840 INFO org.springframework.security.config.http.HttpSecurityBeanDefinitionParser: Checking sorted filter chain: [REMOVED VERY LARGE CONTENT]
(there are ~ 0.1 secs between these to log entries)
Of course this is from the same application without any changes - simply stopped and restarted tomcat.
I did a thread dump to see what is going on while waiting:
"main" prio=10 tid=0x00000000414b1000 nid=0x2850 runnable [0x00007f42e08d1000]
at java.io.FileInputStream.readBytes(Native Method)
- locked <0x00007f42db893378> (a java.io.BufferedInputStream)
- locked <0x00007f42db893040> (a java.io.BufferedInputStream)
- locked <0x00007f42db892888> (a sun.security.provider.SecureRandom)
- locked <0x00007f42db892e78> (a java.security.SecureRandom)
As you can see the problem seems to be an IO-wait caused by java.util.random / java.security.SecureRandom - but why doesn't this happen with Spring Security 2.x ?
I guess this is related to SEC-1386 (but I'm not in a virtual machine).
Is there any workaround available? Can this be improved in Spring Security? Even if it cannot, it should be documented as a known problem.
Luke Taylor said:
This is a problem with using SecureRandom on your system rather than something specific to Spring Security. As described in the other issue, you cans try setting securerandom.source. You will also find other similar discussions and potential solutions if you search the web since SecureRandom is used in many different situations. In this case, it is only being used to create the token associated with the anonymous filter, so you can disable anonymous authentication if you don't need it.
As a workaround, I've made changes to create the SecureRandom on demand, so if you set a key manually using (and do the same in the element if using it) then this will prevent any delay caused by seeding the SecureRandom.