下面是API,它是spring-security-oauth2-2.x.x
的端点,用于验证访问令牌。
curl -v -H 'Accept: application/json' -H 'Authorization: Basic NTIyNDM0OWYtYmNlMy00NTMwLWEwMTgtNmU4YWVkM2JiMzhlOm15LXNlY3JldC1rZXk=' -X GET 'http://127.0.0.1:8110/oauth/check_token?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsib2F1dGgyLXJlc291cmNlIl0sInVzZXJfbmFtZSI6Im1heWFuayIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJleHAiOjE1OTA5MDIzNDIsImF1dGhvcml0aWVzIjpbIlJPTEVfU1RVREVOVCJdLCJqdGkiOiIwMjE1ZTVjMS1hNjExLTRlNzctYmI1MS0zY2U2ZTU5MThlMTMiLCJjbGllbnRfaWQiOiI2ZTA1ZDk5My1kNTQ0LTRkYzktYWVjOC05NTc5MGY3NGUxOWEifQ.vWdTPTER6dhMaaPZTo1x0ApJzoaLs5pUpJBRR77Tfqs'
此API花费了1秒钟以上的时间,我们正在使用JDBC,而不是InMemory,但这与数据库无关,因为我们在DB中的条目很少。我试图调试代码,但没有找到问题的任何线索。
下面是我发现需要花费很多时间的地方:
2020-05-19 12:25:41.673 DEBUG 26520 --- [nio-8110-exec-1] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2020-05-19 12:25:42.632 DEBUG 26520 --- [nio-8110-exec-1] o.s.b.f.s.DefaultListableBeanFactory : Creating shared instance of singleton bean 'scopedTarget.clientDetailsService'
2020-05-19 12:25:42.830 DEBUG 26520 --- [nio-8110-exec-1] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL query
2020-05-19 12:25:42.831 DEBUG 26520 --- [nio-8110-exec-1] o.s.jdbc.core.JdbcTemplate : Executing prepared SQL statement [select client_id, client_secret, resource_ids, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove from oauth_client_details where client_id = ?]
2020-05-19 12:25:42.831 DEBUG 26520 --- [nio-8110-exec-1] o.s.jdbc.datasource.DataSourceUtils : Fetching JDBC Connection from DataSource
2020-05-19 12:25:43.680 DEBUG 26520 --- [nio-8110-exec-1] o.s.s.w.a.www.BasicAuthenticationFilter : Authentication success: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@647b2ff0: Principal: org.springframework.security.core.userdetails.User@9b84454a: Username: 5224349f-bce3-4530-a018-6e8aed3bb38e; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Not granted any authorities; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities
我对此的进一步发现,在下面的一行中花费时间。
Class:- org.springframework.security.authentication.dao.DaoAuthenticationProvider
Line No:- 90
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
所以这似乎首先是由于passwordEncoder的原因,它正在转换我们的密码以及需要花费时间的地方,有人可以建议如何解决这个问题,我不需要复杂的密码存储算法。
我们正在使用:-
@Autowired
@Qualifier("bCryptPasswordEncoder")
private BCryptPasswordEncoder bCryptPasswordEncoder;
我们已经通过降低BCryptPasswordEncoder强度来解决它。
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder() {
return new BCryptPasswordEncoder(10);
}
更改强度之前,请通过以下链接。