Description
Summary
Whilst investigating Spring Boot startup time regressions it became apparent that BCrypt.encode is a hot method.
Actual Behavior
DaoAuthenticationProvider currently generates an encoded password in doAfterPropertiesSet. This encoded password is decoded when a UsernameNotFoundException is throw in order to prevent timing attacks (a user that isn't found takes about the same time to process as one that is).
Expected Behavior
It would be nice to remove the encode call from the application startup critical-path so that application startup times are not increased. One possible option might be to make userNotFoundEncodedPassword late binding and to calculate it on the first call to retrieveUser.
I believe (although I'm by no means an expert here) that this should allow faster startup without being susceptible to timing attacks. The first call to retrieveUser would be a little slower, but this will be constant regardless of if a user is ultimately found or not. Subsequent call will have the same behavior as the current implementation.
Configuration
Spring Boot 2.0.M7 running spring-boot-sample-actuator-ui.
Version
5.0.0.RELEASE