Issue
I'm facing an issue with a SpringBoot application. My ICS reports high response times on this API but my code metrics says it's all fine, for example a query which is sent to my API takes only 50ms to run the "business" code but the effective response takes more than 500ms !
The internal logs of my JVM says that on each request, I have a "UsernameNotFoundExcption" even if credentials are correct and API works fine. That's why I think my problem comes from SpringSecurity layer but I can't identify the cause.
My entry point:
@Component
public class BasicAuthenticationPoint extends BasicAuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authEx)
throws IOException, ServletException {
response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName());
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.setCharacterEncoding("utf-8");
PrintWriter writer = response.getWriter();
writer.println("HTTP Status 401 - " + authEx.getMessage());
}
@Override
public void afterPropertiesSet() throws Exception {
setRealmName("MYAPI");
super.afterPropertiesSet();
}
}
And my adapter:
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private BasicAuthenticationPoint basicAuthenticationPoint;
@Bean
public BCryptPasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
HttpSecurity httpSec = http.csrf().disable();
httpSec = httpSec.authorizeRequests()
.antMatchers("/my-business-resources/**").hasRole("USER")
.antMatchers("/actuator/**").hasRole("ADMIN")
.and();
httpSec.httpBasic().authenticationEntryPoint(basicAuthenticationPoint).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// Load users file
Resource confFile = resourceLoader.getResource("classpath:users.list");
// Returns users from the configuration file <username, password (BCrypted), admin (boolean)>
List<ApiUser> users = ApiUtils.getUsersFromFile(confFile);
for(ApiUser u : users){
// Add the username/password to the in-memory authentication manager
if (u.admin)
auth.inMemoryAuthentication().withUser(u.username).password(u.password).roles("USER", "ADMIN");
else
auth.inMemoryAuthentication().withUser(u.username).password(u.password).roles("USER");
}
}
}
Did I miss something?
PS: My Spring Boot application is packaged as a WAR and executed inside a Tomcat server for standardization purposes.
EDIT:
Here's the full UsernameNotFound stacktrace (ICS formatted):
Exception Details
Type: UsernameNotFoundException
Exception Class: org.springframework.security.core.userdetails.UsernameNotFoundException
API: Exception
Thread Name: https-openssl-apr-9343-exec-10 <522634598>
Exception StackTrace
Method Class Line File Name
loadUserByUsername org.springframework.security.provisioning.InMemoryUserDetailsManager 146 <unknown>
retrieveUser org.springframework.security.authentication.dao.DaoAuthenticationProvider 104 <unknown>
authenticate org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider 144 <unknown>
authenticate org.springframework.security.authentication.ProviderManager 174 <unknown>
authenticate org.springframework.security.authentication.ProviderManager 199 <unknown>
doFilterInternal org.springframework.security.web.authentication.www.BasicAuthenticationFilter 180 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
doFilter org.springframework.security.web.FilterChainProxy$VirtualFilterChain 334 <unknown>
doFilter org.springframework.security.web.authentication.logout.LogoutFilter 116 <unknown>
doFilter org.springframework.security.web.FilterChainProxy$VirtualFilterChain 334 <unknown>
doFilterInternal org.springframework.security.web.header.HeaderWriterFilter 66 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
doFilter org.springframework.security.web.FilterChainProxy$VirtualFilterChain 334 <unknown>
doFilter org.springframework.security.web.context.SecurityContextPersistenceFilter 105 <unknown>
doFilter org.springframework.security.web.FilterChainProxy$VirtualFilterChain 334 <unknown>
doFilterInternal org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter 56 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
doFilter org.springframework.security.web.FilterChainProxy$VirtualFilterChain 334 <unknown>
doFilterInternal org.springframework.security.web.FilterChainProxy 215 <unknown>
doFilter org.springframework.security.web.FilterChainProxy 178 <unknown>
invokeDelegate org.springframework.web.filter.DelegatingFilterProxy 357 <unknown>
doFilter org.springframework.web.filter.DelegatingFilterProxy 270 <unknown>
internalDoFilter org.apache.catalina.core.ApplicationFilterChain 193 <unknown>
doFilter org.apache.catalina.core.ApplicationFilterChain 166 <unknown>
doFilter org.springframework.boot.web.servlet.support.ErrorPageFilter 130 <unknown>
access$000 org.springframework.boot.web.servlet.support.ErrorPageFilter 66 <unknown>
doFilterInternal org.springframework.boot.web.servlet.support.ErrorPageFilter$1 105 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
doFilter org.springframework.boot.web.servlet.support.ErrorPageFilter 123 <unknown>
internalDoFilter org.apache.catalina.core.ApplicationFilterChain 193 <unknown>
doFilter org.apache.catalina.core.ApplicationFilterChain 166 <unknown>
filterAndRecordMetrics org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter 155 <unknown>
filterAndRecordMetrics org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter 123 <unknown>
doFilterInternal org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter 108 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
internalDoFilter org.apache.catalina.core.ApplicationFilterChain 193 <unknown>
doFilter org.apache.catalina.core.ApplicationFilterChain 166 <unknown>
doFilterInternal org.springframework.web.filter.CharacterEncodingFilter 200 <unknown>
doFilter org.springframework.web.filter.OncePerRequestFilter 107 <unknown>
internalDoFilter org.apache.catalina.core.ApplicationFilterChain 193 <unknown>
Solution
Okay, after a lot of debug, I found the problem !
The issue is in the code I use to fill the in memory authenticator:
for(ApiUser u : users){
// Add the username/password to the in-memory authentication manager
if (u.admin)
auth.inMemoryAuthentication().withUser(u.username).password(u.password).roles("USER", "ADMIN");
else
auth.inMemoryAuthentication().withUser(u.username).password(u.password).roles("USER");
}
The fact of calling auth.inMemoryAuthentication() many times creates a new InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> on each time (Spring code), and so we have as many different AuthenticationManager as users (one user per each) so the authentication process is performed multiple times for each requests.
Here is how I fixed the bug:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// Load users file
Resource confFile = resourceLoader.getResource("classpath:users.list");
// Returns users from the configuration file <username, password (BCrypted), admin (boolean)>
List<ApiUser> users = ApiUtils.getUsersFromFile(confFile);
@SuppressWarnings("rawtypes")
UserDetailsBuilder udb = null;
for(ApiUser u : users){
// Add the username/password to the in-memory authentication manager
if (udb == null)
udb = auth.inMemoryAuthentication().withUser(u.username).password(u.password);
else
udb = udb.and().withUser(u.username).password(u.password);
if (u.admin)
udb.roles("USER", "ADMIN");
else
udb.roles("USER");
}
}
Now my average response time is 80ms
Answered By - Dynamite
Answer Checked By - Marilyn (JavaFixing Volunteer)
