[JBoss JIRA] (WFLY-6452) Unable to tune 'default' cache as used by JBossCachedAuthenticationManager leading to valid entries being prematurely evicted.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated WFLY-6452:
-----------------------------------
Summary: Unable to tune 'default' cache as used by JBossCachedAuthenticationManager leading to valid entries being prematurely evicted. (was: JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user)
> Unable to tune 'default' cache as used by JBossCachedAuthenticationManager leading to valid entries being prematurely evicted.
> ------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (ELY-445) Usage of RuntimePermission in SecurityIdentity
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-445?page=com.atlassian.jira.plugin.sy... ]
David Lloyd reassigned ELY-445:
-------------------------------
Fix Version/s: 1.1.0.Beta5
Assignee: David Lloyd
Resolution: Done
> Usage of RuntimePermission in SecurityIdentity
> ----------------------------------------------
>
> Key: ELY-445
> URL: https://issues.jboss.org/browse/ELY-445
> Project: WildFly Elytron
> Issue Type: Task
> Components: API / SPI
> Reporter: David Lloyd
> Assignee: David Lloyd
> Fix For: 1.1.0.Beta5
>
>
> We are currently using a RuntimePermission in SecurityIdentity to authorize the calling protection domain to do a run-as conversion. Since RuntimePermission is managed by the JDK, we should switch to another permission, such as ElytronPermission or an AbstractBooleanPermission subclass, to represent this permission.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse commented on WFLY-6452:
----------------------------------------
Mechanisms such as Digest authentication require pre-request validation associating the authenticated identity with the HTTP Session bypass this.
Regardless JBossCachedAuthenticationManager provides caching itself so there is no need to it also be cached in the HTTP session.
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Juan AMAT (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Juan AMAT commented on WFLY-6452:
---------------------------------
Sorry to be so obtuse but I still do not follow you. Which HTTP mechanisms are you talking about?
As for the 'bad practice' what exactly are you referring to? Is this the fact that the session id could be hijacked? But even then isValid will not help.
I must be missing something but in my case I just increase the size of the cache and I am not sure what isValid() will protect me against anything.
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse commented on WFLY-6452:
----------------------------------------
Because there are many HTTP mechanisms where associating an authenticated identity with a session is a bad practice so the caching is now deferred to the JBossCachedAuthenticationManager.
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Juan AMAT (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Juan AMAT commented on WFLY-6452:
---------------------------------
I am not sure if I understand. The user has already been authenticated and the session is still valid.
So why do we need this call? Again in EAP this is not the case.
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse commented on WFLY-6452:
----------------------------------------
isValid() is called on every request so we have a single cache to make the decision as to if additional authentication is required. I agree however that this would benefit from the cache being tunable to avoid this situation with a large number of users.
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated WFLY-6452:
-----------------------------------
Component/s: Security
(was: Security Manager)
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse reassigned WFLY-6452:
--------------------------------------
Assignee: Darran Lofthouse (was: Stefan Guilhen)
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security Manager, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
> Priority: Critical
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month
[JBoss JIRA] (WFLY-6452) JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-6452?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated WFLY-6452:
-----------------------------------
Priority: Major (was: Critical)
> JBossCachedAuthenticationManager.isValid is called on every http requests of an authenticated user
> --------------------------------------------------------------------------------------------------
>
> Key: WFLY-6452
> URL: https://issues.jboss.org/browse/WFLY-6452
> Project: WildFly
> Issue Type: Bug
> Components: Security Manager, Web (Undertow)
> Affects Versions: 10.0.0.Final
> Reporter: Juan AMAT
> Assignee: Darran Lofthouse
>
> While doing some performance testing of our application on Wildfly 10.0.0.Final we noticed a huge difference in CPU utlization version the same test on JBoss EAP 6.4.
> What the test is doing is to run concurrently 2500 clients that log in webapp (FORM bases authentication) and that send a request every 15 seconds on average.
> In JBoss EAP 6.4 cpu utilization was about 10% on a 24 cores machine with one 20G JVM.
> With wildfly it was 95+%.
> Threads dumps showed a lot of threads in the JAAS Login Module.
> We are using org.jboss.security.auth.spi.DatabaseServerLoginModule.
> This was strange because all the users were already authenticated.
> It turns out that in Wildfly JBossCachedAuthenticationManager.isValid is called on every HTTP request. This is not the case in EAP 6.4.
> The problem then is that we have configured the security-domain with 'cache-type=default' which will use a cache with 1000 entries less than the number of our clients.
> The 'isValid' method will try to find the Principal in the cache, will not find it (most of the time) and will trigger an authentication.
> We can workaround this using 'cache-type=infinispan' with a local-cache with more entries. (and this is what I did not set this ticket as blocker).
> But this is just a workaround IMO.
> Why is 'isValid' called on every request in Wildfly?
> On a related note, it would also be nice to be able to configure the number of entries in the cache when using 'cache-type=default'
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 1 month