Slow policy evaluation with a large number of policy sets --------------------------------------------------------- Key: SECURITY-734 URL: https://issues.jboss.org/browse/SECURITY-734 Project: PicketBox Issue Type: Enhancement Security Level: Public(Everyone can see) Environment: RedHat Linux 6.0, WebSphere Application Server 7.0 Reporter: Maxim Zinal Assignee: Anil Saldhana Attachments: fix-734.patch We suffer a performance problem in the evaluation of large XACML configuration. We use JBoss (Sun?) XACML library to process a large number of policy sets (over 2400 policy set files) using "deny-override" combining algorithm. Initially the number of policies was relatively small, but it increased with time, leading to performance degradation, with 100% CPU (single)core consumption. After running a code sample under Java profiler, we found that 99% of time is spent in method PolicySetFinderModule.findPolicy(URI, int, VersionConstraints, PolicyMetaData). This method walks through a list of AbstractPolicy objects, comparing an ID of each object with it's first argument. In our configuration the number of such objects is relatively large, leading to slow execution with high CPU consumption. We suggest replacing the list of AbstractPolicy with a HashMap. Our experiments show that total evaluation time reduces ~50 times with a HashMap over List implementation.