diff --git a/src/main/java/com/nike/cerberus/security/CmsRequestSecurityValidator.java b/src/main/java/com/nike/cerberus/security/CmsRequestSecurityValidator.java index 69a184e76..ec6350e32 100644 --- a/src/main/java/com/nike/cerberus/security/CmsRequestSecurityValidator.java +++ b/src/main/java/com/nike/cerberus/security/CmsRequestSecurityValidator.java @@ -26,6 +26,8 @@ import com.nike.riposte.server.http.RequestInfo; import com.nike.riposte.server.http.Endpoint; import org.apache.commons.lang3.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import javax.ws.rs.core.SecurityContext; import java.net.URI; @@ -42,6 +44,8 @@ public class CmsRequestSecurityValidator implements RequestSecurityValidator { public static final String SECURITY_CONTEXT_ATTR_KEY = "vaultSecurityContext"; + private final Logger log = LoggerFactory.getLogger(getClass()); + private final Collection> endpointsToValidate; private final VaultAdminClient vaultAdminClient; @@ -50,6 +54,7 @@ public CmsRequestSecurityValidator(final Collection> endpointsToVali final VaultAdminClient vaultAdminClient) { this.endpointsToValidate = endpointsToValidate; this.vaultAdminClient = vaultAdminClient; + this.endpointsToValidate.forEach(endpoint -> log.info("auth protected: {}", endpoint.getClass().getName())); } @Override @@ -85,6 +90,19 @@ public Collection> endpointsToValidate() { return endpointsToValidate; } + /** + * @return true if this security validator is fast enough that {@link #validateSecureRequestForEndpoint(RequestInfo, * Endpoint)} can run without unnecessarily blocking Netty worker threads to the point it becomes a bottleneck and + * adversely affecting throughput, false otherwise when {@link #validateSecureRequestForEndpoint(RequestInfo, * Endpoint)} should be run asynchronously off the Netty worker thread. Defaults to true because security validators + * are usually actively crunching numbers and the cost of context switching to an async thread is often worse than + * just doing the work on the Netty worker thread. Bottom line: This is affected heavily by numerous factors and + * your specific use case - you should test under high load with this turned on and off for your security validator + * and see which one causes better behavior. + */ + @Override + public boolean isFastEnoughToRunOnNettyWorkerThread() { + return false; + } + public static Optional getSecurityContextForRequest(RequestInfo requestInfo) { final Object securityContext = requestInfo.getRequestAttributes().get(SECURITY_CONTEXT_ATTR_KEY);