CODEWITHSUNDEEP
spring-mvcspring-securitycustom-authentication
Ahsan 02
Ahsan 02

Reputation: 61

Spring Security: Custom Authentication Provider

I have developed an application with spring mvc for high user traffic. Suppose there is least 20,000 concurrent user. I have implemented spring security custom authentication provider in two ways.
1st one is :

@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {

    String username = authentication.getName();
    String password = authentication.getCredentials().toString();
    CustomUser user = _userDetailService.loadUserByUsername(username);
    if (user == null || !user.getUsername().equalsIgnoreCase(username)) {
        throw new BadCredentialsException("Username not found.");
    }
    if (!BCrypt.checkpw(password, user.getPassword())) {
        throw new BadCredentialsException("Wrong password.");
    }
    Collection < ? extends GrantedAuthority > authorities = user.getAuthorities();
    return new UsernamePasswordAuthenticationToken(user, password, authorities);
}

2nd one is:

@Override
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
  try {
    Authentication auth = super.authenticate(authentication);
    //if reach here, means login success, else an exception will be thrown
    //reset the user_attempts
    return auth;

  } catch (BadCredentialsException e) {
    //invalid login, update to user_attempts
    throw e;
  }
}

Now my question is whice implementation will give me the faster output?

Upvotes: 0

Views: 1009

Answers (1)

stefanhgm
stefanhgm

Reputation: 55

As already pointed out by Afridi, your 1st version is exactly what DaoAuthenticationProvider is supposed to do. I would strongly discourage from re-implementing its functionality, since you might for example introduce new security relevant errors.

If you really need a custom authentication method, there is no way around a custom authentication method of course. In order to measure the performance of this implementation in general or versus the standard implementation, you should simply define a test scenario (e.g. 20000 dummy authentications as homlis83 suggested) and run the program in a profiler. This will how you exactly how much time is spent in you authentication method and even which part takes the most time.

I think the most popular Java profiler is VisualVM and depending on your IDE there might be a plugin that further simplifies its use. There are also a lot of tutorials for Java profiling out there, but this is definitvely the way to go for you to get reliable data for the performance.

Upvotes: 1

Related Questions