Threads getting blocked in RsaVerifier.

[testark]

I'm running into a behaviour which causes threads to block when verifying RS256-signed JWT tokens. The problem seems to be caused by https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java#L50. Here's a thread dump:

java.security.Provider.getService(java.lang.String, java.lang.String) (line: 1035)
sun.security.jca.ProviderList$ServiceList.tryGet(int) (line: 437)
sun.security.jca.ProviderList$ServiceList.access$200(sun.security.jca.ProviderList$ServiceList, int)
sun.security.jca.ProviderList$ServiceList$1.hasNext()
java.security.Signature.getInstance(java.lang.String) (line: 228)
org.springframework.security.jwt.crypto.sign.RsaVerifier.verify(byte[ ], byte[ ]) (line: 50)
(...)

Provider.getService is synchronized, which (I believe) is what is causing threads to block (https://bugs.openjdk.java.net/browse/JDK-7092821). Is there anything that could be done from Spring's side regarding this? Like, for example, caching the Signature instance or providing an aspect that caches the Provider?

[testark]

@dsyer would it be safe to cache Signature in a thread-local fashion? Are there any downsides to this?

[dsyer]

The only downside is the additional complexity in the code I would say. I guess we can look at a pull request?