Slow LoginContext.login() due to repeated ServiceLoader lookups

Seán Coffey sean.coffey at oracle.com
Tue Aug 27 15:58:17 UTC 2019 

Probably best to log a bug to capture this issue.

It reminds me of another issue I've been meaning to wrap up:
https://bugs.openjdk.java.net/browse/JDK-8223260

Similar scenario in how the ContextFactory is searched for. My proposed
patch is to cache a factory per classloader (for the NamingManager issue 
at least)

regards,
Sean.

On 27/08/2019 16:16, Florent Guillaume wrote:
> Hi,
>
> When switching from Java 8 to Java 11, we're experiencing an important 
> slowdown when executing LoginContext.login(), especially under 
> concurrency.
>
> We tracked this down to JDK-8047789 which changed the way the lookup 
> of LoginModules is done in LoginContext.invoke. Previously, it was a 
> simple Class.forName that is of course extremely optimized. 
> After JDK-8047789, there is first a ServiceLoader-based lookup for the 
> class. This lookup doesn't seem to be cached. In our case, it has to 
> open the 400+ JARs in our classpath (we're not using modules yet) to 
> check the content 
> of META-INF/services/javax.security.auth.spi.LoginModule, and in 
> addition this hits a synchronized block in ZipFile.getEntry which 
> prevents any performance under concurrency.
>
> Is there anything we can do to improve LoginContext.login() in this 
> context?
>
> For reference, the code path to the synchronized block:
> at java.util.zip.ZipFile.getEntry(java.base at 11.0.4/ZipFile.java:346)
> - locked <0x000000068b18bdd0> (a java.util.jar.JarFile)
> at java.util.zip.ZipFile$1.getEntry(java.base at 11.0.4/ZipFile.java:1121)
> at java.util.jar.JarFile.getEntry0(java.base at 11.0.4/JarFile.java:576)
> at java.util.jar.JarFile.getEntry(java.base at 11.0.4/JarFile.java:506)
> at java.util.jar.JarFile.getJarEntry(java.base at 11.0.4/JarFile.java:468)
> at 
> jdk.internal.loader.URLClassPath$JarLoader.getResource(java.base at 11.0.4/URLClassPath.java:929)
> at 
> jdk.internal.loader.URLClassPath$JarLoader.findResource(java.base at 11.0.4/URLClassPath.java:912)
> at 
> jdk.internal.loader.URLClassPath$1.next(java.base at 11.0.4/URLClassPath.java:341)
> at 
> jdk.internal.loader.URLClassPath$1.hasMoreElements(java.base at 11.0.4/URLClassPath.java:351)
> at 
> java.net.URLClassLoader$3$1.run(java.base at 11.0.4/URLClassLoader.java:687)
> at 
> java.net.URLClassLoader$3$1.run(java.base at 11.0.4/URLClassLoader.java:685)
> at java.security.AccessController.doPrivileged(java.base at 11.0.4/Native 
> Method)
> at 
> java.net.URLClassLoader$3.next(java.base at 11.0.4/URLClassLoader.java:684)
> at 
> java.net.URLClassLoader$3.hasMoreElements(java.base at 11.0.4/URLClassLoader.java:709)
> at 
> java.lang.CompoundEnumeration.next(java.base at 11.0.4/ClassLoader.java:3022)
> at 
> java.lang.CompoundEnumeration.hasMoreElements(java.base at 11.0.4/ClassLoader.java:3031)
> at 
> org.apache.catalina.loader.WebappClassLoaderBase$CombinedEnumeration.inc(WebappClassLoaderBase.java:2670)
> at 
> org.apache.catalina.loader.WebappClassLoaderBase$CombinedEnumeration.hasMoreElements(WebappClassLoaderBase.java:2655)
> at 
> java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(java.base at 11.0.4/ServiceLoader.java:1202)
> at 
> java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(java.base at 11.0.4/ServiceLoader.java:1220)
> at 
> java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(java.base at 11.0.4/ServiceLoader.java:1264)
> at 
> java.util.ServiceLoader$2.hasNext(java.base at 11.0.4/ServiceLoader.java:1299)
> at 
> java.util.ServiceLoader$3.hasNext(java.base at 11.0.4/ServiceLoader.java:1384)
> at 
> javax.security.auth.login.LoginContext.invoke(java.base at 11.0.4/LoginContext.java:691)
> at 
> javax.security.auth.login.LoginContext$4.run(java.base at 11.0.4/LoginContext.java:665)
> at 
> javax.security.auth.login.LoginContext$4.run(java.base at 11.0.4/LoginContext.java:663)
> at java.security.AccessController.doPrivileged(java.base at 11.0.4/Native 
> Method)
> at 
> javax.security.auth.login.LoginContext.invokePriv(java.base at 11.0.4/LoginContext.java:663)
> at 
> javax.security.auth.login.LoginContext.login(java.base at 11.0.4/LoginContext.java:574)
>
> Thanks,
>
> Florent
>
> -- 
> Nuxeo Logo <https://www.nuxeo.com/> 	
>
> Florent Guillaume  Head of R&D LinkedIn 
> <https://www.linkedin.com/in/fguillaume/> Twitter 
> <https://twitter.com/efge> Github <https://github.com/efge>
>
> Nuxeo Content Services Platform. Stay ahead.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190827/90f6e0fb/attachment.htm>

More information about the security-dev mailing list