Replace internal Stream usage with for loops

[rwinch]

Summary

While some prefer the readability of using the Stream APIs, the GC overhead of creating additional objects (including intermediate objects) can cause significant decrease in performance There are some simple benchmarks that illustrate the problem.

We should replace Stream usage with for loops throughout Spring Security's code base.

Related gh-7155

[eddumelendez]

Hi @rwinch, do you think this is good for first-timers-only?

[kostya05983]

Hello @rwinch, I have an experience with stream api and others streams such as rxjava, I can take it in work. Where can I start? is stream api used in all modules?

[rwinch]

Thanks for the offer @kostya05983!

A search shows the following locations contain an import to stream APIs. Note that we should only change private internal code. Please note:

• We should not change any public APIs only internal implementation code
• We do not need to change test code
• We do not need to change sample code

samples/boot/oauth2authorizationserver/src/main/java/sample/AuthorizationServerConfiguration.java
core/src/main/java/org/springframework/security/authorization/AuthorityReactiveAuthorizationManager.java
core/src/main/java/org/springframework/security/converter/RsaKeyConverters.java
core/src/main/java/org/springframework/security/core/userdetails/MapReactiveUserDetailsService.java
config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
config/src/test/java/org/springframework/security/config/http/SecurityFiltersAssertions.java
config/src/test/java/org/springframework/security/config/doc/SpringSecurityXsdParser.java
config/src/test/java/org/springframework/security/config/doc/XsdDocumentedTests.java
config/src/test/java/org/springframework/security/config/doc/XmlNode.java
web/src/main/java/org/springframework/security/web/header/writers/ClearSiteDataHeaderWriter.java
web/src/test/java/org/springframework/security/web/server/header/ClearSiteDataServerHttpHeadersWriterTests.java
web/src/main/java/org/springframework/security/web/server/header/CompositeServerHttpHeadersWriter.java
web/src/main/java/org/springframework/security/web/server/header/ClearSiteDataServerHttpHeadersWriter.java
web/src/main/java/org/springframework/security/web/server/authentication/DelegatingServerAuthenticationSuccessHandler.java
samples/boot/oauth2resourceserver-opaque/src/main/java/org/springframework/boot/env/MockWebServerPropertySource.java
samples/boot/oauth2login/src/integration-test/java/org/springframework/security/samples/OAuth2LoginApplicationTests.java
samples/boot/oauth2resourceserver-multitenancy/src/main/java/org/springframework/boot/env/MockWebServerPropertySource.java
core/src/test/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandlerTests.java
core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java
config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
config/src/test/java/org/springframework/security/config/web/server/OAuth2ResourceServerSpecTests.java
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/MappedJwtClaimSetConverter.java
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTimestampValidatorTests.java
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
web/src/test/java/org/springframework/security/web/server/authentication/logout/LogoutWebFilterTests.java
web/src/main/java/org/springframework/security/web/server/authentication/logout/DelegatingServerLogoutHandler.java
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpCustomFilterTests.java
config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpJeeTests.java
config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/user/DefaultOAuth2User.java
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/converter/ObjectToListStringConverter.java
oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/SignatureAlgorithm.java
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jose/jws/MacAlgorithm.java
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/InMemoryReactiveClientRegistrationRepository.java
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/InMemoryClientRegistrationRepository.java
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/ReactiveJwtGrantedAuthoritiesConverterAdapterTests.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPoint.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOAuth2TokenIntrospectionClient.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionAuthenticationProvider.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusReactiveOAuth2TokenIntrospectionClient.java
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/access/BearerTokenAccessDeniedHandler.java
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/access/server/BearerTokenServerAccessDeniedHandler.java
oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/BearerTokenServerAuthenticationEntryPoint.java

[kostya05983]

Thanks for a detailed guide.

• We should not change any public APIs only internal implementation code
  One question @rwinch :
  If I understand correctly, I shouldn't change any public methods, should I?

[rwinch]

Don't change the method signatures of public methods. Changing how the method is implemented is fine.

[kostya05983]

Ok, @rwinch , I didn't change the signature. I think, the request is ready for review, please see it, when you have a time.