[ https://issues.jboss.org/browse/SECURITY-691?page=com.atlassian.jira.plug... ] Erica Smith updated SECURITY-691: --------------------------------- Description: Using: Picketbox ACL 3.0.0 Final Running in JBoss AS 6.1.0 Final Problem: The JBossACLContext reinitializes itself and its persistence strategy on every authorization request. Steps to reproduce: Configure role based ACL in the security domain, like so: {quote}<acl> <acl-module code="org.jboss.security.acl.RoleBasedACLProviderImpl"> <module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option> </acl-module> </acl>{quote} Initialize the security manager from initial context, like so: {quote}manager = (AuthorizationManager) new InitialContext().lookup("java:jaas/my-security-domain/authorizationMgr");{quote} Add a set of testing permissions to the database. Make a call to manager.authorize(Resource resource, Identity identity, Permission permission) When the call comes through to JBossACLContext.authorize, the "initializeModules" function is called every time. This destroys any previously ACL providers and instantiates a new one, along with the required persistence strategy. This then results in several hibernate calls to validate the database structure. This provider *is* added to the context, but will only be used once. Any subsequent calls will cause the provider to be removed and re-added again. This is causing all ACL permission checks to be painfully slow - no more than two or three checks a second - and needlessly database hungry. It seems like the initialize code should return immediately if the module has already been initialized. This would save considerable time during the auth checks. was: Picketbox ACL 3.0.0 Final Running in JBoss AS 6.1.0 Final Steps to Reproduce: (was: Configure role based ACL in the security domain, like so: <acl> <acl-module code="org.jboss.security.acl.RoleBasedACLProviderImpl"> <module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option> </acl-module> </acl> Initialize the security manager from initial context, like so: manager = (AuthorizationManager) new InitialContext().lookup("java:jaas/my-security-domain/authorizationMgr"); Add a set of testing permissions to the database. Make a call to manager.authorize(Resource resource, Identity identity, Permission permission) When the call comes through to JBossACLContext.authorize, the "initializeModules" function is called every time. This destroys any previously ACL providers and instantiates a new one, along with the required persistence strategy. This then results in several hibernate calls to validate the database structure. This provider *is* added to the context, but will only be used once. Any subsequent calls will cause the provider to be removed and re-added again. This is causing all ACL permission checks to be painfully slow - no more than two or three checks a second - and needlessly database hungry. It seems like the initialize code should return immediately if the module has already been initialized. This would save considerable time during the auth checks.) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira