Describe the bug
web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java:136 allocates memory and wastes CPU when debug logging is disabled - a typical production scenario.
OrRequestMatcher.matches calls every child matcher per request, so this multiplies by the number of regex rules in the security config.
Proposed fix: wrap with isDebugEnabled()
Stacktrace:
org.springframework.core.log.LogMessage$FormatMessage2.<init>(String, Object, Object)
org.springframework.core.log.LogMessage.format(String, Object, Object)
org.springframework.security.web.util.matcher.RegexRequestMatcher.matches(HttpServletRequest)
org.springframework.security.web.util.matcher.OrRequestMatcher.matches(HttpServletRequest)
org.springframework.security.web.DefaultSecurityFilterChain.matches(HttpServletRequest)
org.springframework.security.web.FilterChainProxy.getFilters(HttpServletRequest)
org.springframework.security.web.FilterChainProxy.doFilterInternal(ServletRequest, ServletResponse, FilterChain)
org.springframework.security.web.FilterChainProxy.doFilter(ServletRequest, ServletResponse, FilterChain)

Describe the bug
web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java:136 allocates memory and wastes CPU when debug logging is disabled - a typical production scenario.
OrRequestMatcher.matches calls every child matcher per request, so this multiplies by the number of regex rules in the security config.
Proposed fix: wrap with isDebugEnabled()
Stacktrace: