Affects Version/s: 1.4.0
Fix Version/s: None
When the AliasBasedTokenStateService is employed, the TokenStateService reaper loads the keystore file (via the AliasService and KeyStoreService) very frequently.
- It queries all the token-state-related aliases
- For every token ID
- Looks up the token again (validateToken())
- Looks up the the token expiration
- Removes the token expiration alias
- Removes the token max lifetime alias
This means the KeyStoreService loads the keystore file (1 + 2-to-4-per-token) times every eviction interval (default 5 minutes). That means, if there are 100 expired tokens and 100 unexpired tokens, the reaper will load the keystore file 601 times in one iteration.
As the keystore file size increases, the already poor performance of loading this file degrades even more to the point that the token state reaper can consume 100% of the CPU.
The reaper should operate on the in-memory token state as much as possible, and even remove expired token state in bulk (loading / writing the keystore file once for all).