[
https://issues.redhat.com/browse/ISPN-12126?page=com.atlassian.jira.plugi...
]
Gustavo Fernandes updated ISPN-12126:
-------------------------------------
Description:
Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler.
This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and
uses one child-channel per each simultaneous request/response pair (stream).
-One suggestion is to use
{{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}}
around the supported security realms to cache credentials for a configurable amount of
time, or based on the number of credentials. This would also improve Hot Rod since the
security realms are global-
EDIT: CachingSecurityRealm apparently only caches the credential lookup and not the
validation which is very costly.
Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must
send different headers every request time, so caching the header in the server will not
work.
was:
Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler.
This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and
uses one child-channel per each simultaneous request/response pair (stream).
-One suggestion is to use
{{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}}
around the supported security realms to cache credentials for a configurable amount of
time, or based on the number of credentials. This would also improve Hot Rod since the
security realms are global-
EDIT: CachingSecurityRealm apparently only cache the credential lookup and not the
validation which is very costly.
Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must
send different headers every request time, so caching the header in the server will not
work.
Performance drop when using auth in REST
----------------------------------------
Key: ISPN-12126
URL:
https://issues.redhat.com/browse/ISPN-12126
Project: Infinispan
Issue Type: Bug
Components: REST, Security
Affects Versions: 11.0.1.Final
Reporter: Gustavo Fernandes
Priority: Major
Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler.
This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and
uses one child-channel per each simultaneous request/response pair (stream).
-One suggestion is to use
{{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}}
around the supported security realms to cache credentials for a configurable amount of
time, or based on the number of credentials. This would also improve Hot Rod since the
security realms are global-
EDIT: CachingSecurityRealm apparently only caches the credential lookup and not the
validation which is very costly.
Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must
send different headers every request time, so caching the header in the server will not
work.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)