esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

Performance

Open meg23 opened this issue 11 years ago • 7 comments

From [email protected] on July 08, 2014 14:33:53

I Had a Server facing around 10000 requests per second. I Added Esapi for Security checks ( mostly getValidInput) and it crashed the CPU. CPU Utilization went to 90% with around 1500 requests per sec. I use ESAPI.validator().getValidInput(params) everytime i need to check. Am i doing something wrong or is it a performance bug?? Please help asap. I am stuck. DO I have to implement singleton class somewhere?

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=332

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on July 08, 2014 11:34:46

fyi I also use ESAPI.encoder().canonicalize()

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on July 08, 2014 13:26:12

Please somebody reply. I have a deadline to meet and i have no clue what to do.

meg23 avatar Nov 13 '14 18:11 meg23

From [email protected] on July 08, 2014 15:55:03

Figured out the issue. In ValidInput we were not setting Encoder to true or false Manually. So it used to read the properties and cause a Severe Performance Issue. As a Data for 1 lakh Requests it took 3 times more time when no input was provided. Maybe we should mention it in the documents somewhere as a Safe Practice.

meg23 avatar Nov 13 '14 18:11 meg23

I've deployed esapi into applications that handle 1500+ concurrent, multiple users and haven't faced an issue like this.

Please provide a sample web application that reproduces the issue.

Otherwise, I recommend closing.

xeno6696 avatar Dec 24 '15 17:12 xeno6696

Any of you who are helping with ESAPI in terms of doing documentation want to take on adding something like this to either a local GitHub wiki page or maybe to a FAQ? If so, let me know your GitHub account name and I'll add you as a contributor and assign this to you. Thanks!

kwwall avatar Jan 13 '16 06:01 kwwall

I can most certainly assist. Documentation is everybody's responsibility.

xeno6696 avatar Jan 13 '16 11:01 xeno6696

Put this on the FUTURE CONSIDERATION list: As long as ESAPI is going to be using singletons (sigh), we might as well take advantage of that and cache those objects. The org.owasp.esapi.util.ObjFactory class' make() method should check if should a class has a singleton (currently lines 77 through 86 as of this writing) and if it does, rather than invoking the singleton's getInstance() method, it should see if that class has an instance in a local cache. If so, return the singleton instance from that cache. If not, invoke the singleton, add it to the local cache, and the return the singleton instance. Since most (all?) things in ESAPI are singletons and since most people are using things like ESAPI.validator().getValidInput( params ) thousands of times without saving the ESAPI.validator() singleton instance, that conceivably could help save some CPU cycles. (May need means to clear that ObjFactory cache though.

Note at this point, this is only an IDEA. It should be discussed based on its pros and cons BEFORE someone rushes off to implement it. (Quotes Knuth's "premature optimization is the root of all evil" :) I wouldn't expect major speed-up since the JIT optimizer generally probably does this pretty well for 95% of the cases.

kwwall avatar Jan 26 '19 23:01 kwwall