BCrypt encode calls increase startup times

[philwebb]

Summary

Whilst investigating Spring Boot startup time regressions it became apparent that BCrypt.encode is a hot method.

Actual Behavior

DaoAuthenticationProvider currently generates an encoded password in doAfterPropertiesSet. This encoded password is decoded when a UsernameNotFoundException is throw in order to prevent timing attacks (a user that isn't found takes about the same time to process as one that is).

Expected Behavior

It would be nice to remove the encode call from the application startup critical-path so that application startup times are not increased. One possible option might be to make userNotFoundEncodedPassword late binding and to calculate it on the first call to retrieveUser.

I believe (although I'm by no means an expert here) that this should allow faster startup without being susceptible to timing attacks. The first call to retrieveUser would be a little slower, but this will be constant regardless of if a user is ultimately found or not. Subsequent call will have the same behavior as the current implementation.

Configuration

Spring Boot 2.0.M7 running spring-boot-sample-actuator-ui.

Version

5.0.0.RELEASE

Sample

https://github.com/spring-projects/spring-boot/tree/master/spring-boot-samples/spring-boot-sample-actuator-ui

[philwebb]

With PR #4927 applied Spring Boot startup improves from

Started SampleActuatorUiApplication in 3.373 seconds (JVM running for 3.781)

to

Started SampleActuatorUiApplication in 3.142 seconds (JVM running for 3.545)

[philwebb]

Sweeeeeet!! Thanks.