WW-5630 - Performance Issue SecurityMemberAccess#1721
Conversation
Update local branch
* Add size bound cache, 50, for Class lookup * Add unit test Code generated by Copilot
lukaszlenart
left a comment
lukaszlenart
left a comment
There was a problem hiding this comment.
Thanks for tackling WW-5630 — the motivation is solid. SecurityMemberAccess is Scope.PROTOTYPE (StrutsBeanSelectionProvider.java:454), so it's reconstructed on every value-stack creation (~per request), and each construction re-runs the @Inject use* setters → validateClasses → ClassLoader.loadClass(...). Memoizing that is worthwhile, and Caffeine is already a core dependency.
Two blocking issues before merge, both rooted in the cache key:
- Key on classloader identity, not
String.valueOf(classLoader). This can return aClass<?>from the wrong loader (collisions / constanttoString()), and thoseClassobjects feed OGNL exclusion/allowlist checks that rely on==— security-adjacent. - Static cache holding strong
Class<?>values pins classloaders — relevant given the WW-5537 leak work on adjacent branches.
Both are solved together with Caffeine.newBuilder().maximumSize(...).weakKeys().weakValues().build() keyed on the real ClassLoader (e.g. Cache<ClassLoader, Cache<String, Class<?>>>). weakKeys() gives identity equality (fixes #1) and GC-safety (fixes #2). Details inline.
* Cache ClassLoader directly * Use weakKeys and weakValues * Comment on the ClassLookupException * Additional Unit Tests Assistance in coding using co-pilot
|
@lukaszlenart I believe I've resolved all the concerns you raised and added additional UTs as well. Test set: org.apache.struts2.util.ConfigParseUtilTestTests run: 9, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.001 s -- in org.apache.struts2.util.ConfigParseUtilTest |
2 participants
No description provided.