Skip to content

RegexRequestMatcher.matches() allocates LogMessage wrapper on every request even when debug disabled #19251

Description

@onukristo

Describe the bug
web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java:136 allocates memory and wastes CPU when debug logging is disabled - a typical production scenario.

OrRequestMatcher.matches calls every child matcher per request, so this multiplies by the number of regex rules in the security config.

Proposed fix: wrap with isDebugEnabled()

Stacktrace:

  org.springframework.core.log.LogMessage$FormatMessage2.<init>(String, Object, Object)
  org.springframework.core.log.LogMessage.format(String, Object, Object)
  org.springframework.security.web.util.matcher.RegexRequestMatcher.matches(HttpServletRequest)
  org.springframework.security.web.util.matcher.OrRequestMatcher.matches(HttpServletRequest)
  org.springframework.security.web.DefaultSecurityFilterChain.matches(HttpServletRequest)
  org.springframework.security.web.FilterChainProxy.getFilters(HttpServletRequest)
  org.springframework.security.web.FilterChainProxy.doFilterInternal(ServletRequest, ServletResponse, FilterChain)
  org.springframework.security.web.FilterChainProxy.doFilter(ServletRequest, ServletResponse, FilterChain)
Image

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions