I'm going to implement custom JwtDecoder used in OAuth2 resource server.
In the research about default JwtDecoder behaviors, I found SupplierJwtDecoder that lazily initialize JWTDecoder.
What's the advantages of deferring initialization with delegate pattern. It also seems to cause synchronizing problems.
@Override
public Jwt decode(String token) throws JwtException {
if (this.delegate == null) {
synchronized (this.jwtDecoderSupplier) {
if (this.delegate == null) {
try {
this.delegate = this.jwtDecoderSupplier.get();
} catch (Exception ex) {
throw wrapException(ex);
}
}
}
}
return this.delegate.decode(token);
}
The purpose is to defer the JWT checks until the SupplierJwtDecoder is used for the first time instead of looking up the issuer location (or other properties) at the application startup. If you have an application that builds natively, one of the things you are aiming for is startup time, if Spring Security lookup the issuer location at startup time, it would delay it. That's one of the reasons why the SupplierJwtDecoder was created.
You can get more detail on the related issue: https://github.com/spring-projects/spring-security/issues/9991