When I profiled one of our webservices that uses SAML I noticed, that about half the CPU-time per call gets spent inside
WSSConfig.getProcessor -> Loader.loadClass -> ClassLoader.loadClass
The application server I was running on is Jetty 6 (might have some impact on the performance of classloading, since it's done with the Webapp-Classloader).
When I reviewed the code I noticed that all the actions and processors inside WSSConfig are held in a Map with ID -> [either classname or instance). All the default processors/actions are as Strings (classnames). Most of the processors have to be instantated per invocation, so I couldn't switch from classnames to instances.
I propose to add a third value-variant to the maps: Classes. The included patch contains the changes to WSSConfig. The central parts are inside the static initialization (I added a helper method to shorten initializer) and in the #getProcessor and #getAction methods (a third if-instanceof-part). I retained the dynamic lookup of the opensaml classes.
The patch brings a massive performance enhancement, at least in the jetty-environment (I didn't test other application server) due to not looking up the classes on every invocation. The CPU-time of the wss4j library went from ~50% down to 2%.