JEP Review Request: Improve Security Manager Performance
David M. Lloyd
david.lloyd at redhat.com
Fri Apr 25 14:54:21 UTC 2014
On 04/25/2014 09:36 AM, Sean Mullan wrote:
> Please review a draft of a proposed research JEP to improve the
> performance of the Security Manager:
>
> http://cr.openjdk.java.net/~mullan/jeps/Improve-Security-Manager-Performance.00
>
> I am particularly interested in any experience you have measuring or
> profiling the performance of your code when run with a Security Manager,
> and any potential ideas for optimizations that you may have.
Great! Security manager performance is a constant source of difficulty
for us.
Some optimization ideas I've had in the past:
- Add a ParametricPrivileged*Action<T, U> which accepts a single
parameter, with corresponding doPrivileged()-style methods which accept
a parameter of the same type. This can in many cases mitigate the need
to construct new PrivilegedActions, encouraging reuse instead.
- Use annotations to designate privileged methods (perhaps in
combination with a requirement that the annotated method be
package-private or private).
The main expense points we've observed in the past mainly revolve around
the actual permission check (chiefly the compilation of the ACC) and
doPrivileged itself though, so in terms of simply optimizing code, those
two areas seem like the best place to start; I think I could probably
get more detailed information about this, time permitting.
Relatedly, it would also be nice if there were some way to simplify or
improve the JAAS Subject association mechanism, which also relies on the
ACC, causing a substantial enough performance cost that (AFAICT) no
major Java EE application server actually prefers this mechanism.
--
- DML
More information about the security-dev
mailing list