Merge pull request #322 from xdev-software/develop

Release

Author: AB-xdev

.github/workflows/broken-links.yml

@@ -3,7 +3,7 @@ name: Broken links
 on:
   workflow_dispatch:
   schedule:
-    - cron: "23 23 * * 0"
+    - cron: "23 5 * * 0"
 
 permissions:
   issues: write
@@ -21,6 +21,7 @@ jobs:
         id: lychee
         uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2
         with:
+          args: "--verbose --no-progress './**/*.md'"
           fail: false # Don't fail on broken links, create an issue instead
 
       - name: Find already existing issue

CHANGELOG.md

@@ -1,3 +1,6 @@
+# 2.2.1
+* Use `ConcurrentReferenceHashMap` in favor of `Collections.synchronizedMap(new WeakHashMap<>())` to improve performance
+
 # 2.2.0
 * Vaadin
   * `SecureVaadinRequestCache` now uses `RequestUtil#isSecuredFlowRoute` which should be more performant and future-proof

oauth2-oidc-remember-me/README.md

@@ -23,7 +23,7 @@ There are some problems with that:
 * The session needs to be serializable
 * If using Java Serialization: [It's insecure and will always be](https://github.com/frohoff/ysoserial)
 * When updating your app the session data might become incompatible (especially when using Java serialization) and migrating it might be extremely difficult
-* The sessions can contain a ton of data (and that needs to be store somewhere on the backend)
+* The sessions can contain a ton of data (and that needs to be stored somewhere on the backend)
 * If the persistent data/backend is breached, an attacker can easily use this data to login in / steal personal information
 * When restoring the session it might be necessary to invoke app-specific logic
 

oauth2-oidc-remember-me/src/main/java/software/xdev/sse/oauth2/rememberme/EnsureNonConcurrentExec.java

@@ -15,16 +15,15 @@
  */
 package software.xdev.sse.oauth2.rememberme;
 
-import java.util.Collections;
 import java.util.Map;
-import java.util.WeakHashMap;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Function;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.util.ConcurrentReferenceHashMap;
 
 
 /**
@@ -35,7 +34,8 @@ public class EnsureNonConcurrentExec<K, V>
 	private static final Logger LOG = LoggerFactory.getLogger(EnsureNonConcurrentExec.class);
 
 	protected final Map<K, Lock> keyLocks = new ConcurrentHashMap<>();
-	protected final Map<Lock, SavedResult<V>> lockResultsCache = Collections.synchronizedMap(new WeakHashMap<>());
+	protected final Map<Lock, SavedResult<V>> lockResultsCache =
+		new ConcurrentReferenceHashMap<>(32, ConcurrentReferenceHashMap.ReferenceType.WEAK);
 
 	protected final Function<RuntimeException, SavedResult<V>> onException;
 

oauth2-oidc/src/main/java/software/xdev/sse/oauth2/checkauth/OAuth2AuthChecker.java

@@ -32,6 +32,7 @@
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.util.ConcurrentReferenceHashMap;
 
 import software.xdev.sse.oauth2.checkauth.disabledcheck.OAuth2IsDisabledChecker;
 
@@ -58,7 +59,7 @@ public class OAuth2AuthChecker
 	// https://docs.pmd-code.org/pmd-doc-7.5.0/pmd_rules_java_multithreading.html#avoidsynchronizedstatement
 	// https://openjdk.org/jeps/8337395
 	protected final Map<OAuth2AuthorizedClient, ReentrantLock> clientLocks =
-		Collections.synchronizedMap(new WeakHashMap<>());
+		new ConcurrentReferenceHashMap<>(32, ConcurrentReferenceHashMap.ReferenceType.WEAK);
 
 	public OAuth2AuthChecker(
 		final OAuth2AuthorizedClientManager clientManager,