Policy provider comparison

Peter Firmstone peter.firmstone at zeus.net.au
Sun Jul 20 02:06:48 UTC 2014 

There doesn't seem to be much interest in adopting an external policy 
provider, so I'll explain how to achieve a significant performance 
improvement, in case someone's interested in improving performance of 
the default jvm policy provider.

   1. Thread confine and immediately discard PermissionCollection
      objects, do not cache them as is done presently.
   2. We created an object representation of grant statements from
      policy files in memory, it is immutable and replaced during policy
      refresh calls, it is also non blocking and highly scalable.
   3. During a policy implies call, collect all grant statements that
      imply a ProtectionDomain from an implies call.  Take Permission
      objects from the grant statements and add them to
      PermissionCollection and Permissions (a heterogenous collection of
      PermissionCollection objects, itself an instance of
      PermissionCollection).  Determine the result of the implies call
      and discard the Permissions, do not cache or share them with other
      threads.
   4. Sort Permission objects before adding them to ProtectionDomain, to
      minimise unnecessary DNS calls from SocketPermission etc.
   5. Do not add Permissions to a ProtectionDomain that delegates to the
      Policy provider, or Permissions may be checked twice.
   6. Only add Permissions to ProtectionDomain's when they have
      AllPermissions or when it does not delegate to a Policy provider.

PermissionCollection was designed to be threadsafe, I think this was a 
mistake (hindsight is 20:20), similar to HashTable and Vector, 
PermissionCollection instances should be thread confined (uncontended 
synchronization is fast).  Permissions has a race condition that 
prevents UnresolvedPermission's from resolving on occassion too, thread 
confinement fixes that too.

Regards,

Peter.

On 19/07/2014 6:31 PM, Peter Firmstone wrote:
> Thought I might provide a comparison using our random stress test on a 
> 4 way sony vaio, JDK7 Windows 7 amd64:
>
> Note that using sun.security.provider.PolicyFile doubles the duration 
> of the stress test and it consumes 73% of CPU.
>
> In comparison org.apache.river.api.security.ConcurrentPolicyFile uses 
> 0% CPU and the test completes in half the time, with our policy 
> provider we run at raw socket speed.
>
> See attached.
>
> Regards,
>
> Peter.

More information about the security-dev mailing list