BasicAuthenticationFilter uses default password encoder which in latest spring boot set to BCrypt. This configuration creates 100ms delay (and 100ms real cpu time) for each request.
To Reproduce Create spring boot application with a rest contoller. Protect controller with basic auth. Check request time before/after protection. Observe cpu load with configured basic authorization.
Expected behavior Spring boot code add very little overhead to the request processing.
Sample Clone https://github.com/ijrandom/spring_boot_basic_auth_issue. Follow instruction in readme
Comment From: jzheaux
@ijrandom thanks for the suggestion.
BCrypt is designed to take a long time in order to mitigate brute force attacks. It is important that Spring Security ship with this and other secure defaults. We don't want to lower the baseline security of the OOTB experience.
To achieve your expected behavior, there are two things that you can do:
- Use something like OAuth 2.0 Bearer Tokens, which will verify a signature instead of hash a password
- Configure a faster password encoder, though note that this trades security for performance.