On Mon, Jun 8, 2015 at 8:25 AM, Philippe Marschall <kustos@gmx.net> wrote:

I’m aware this may no technically be the right list to discuss this but this list is impacted by this and fairly active.

During load testing of our application we found a case we spend 10% of your CPU time in SimpleRole#equals (see attachment). This is because SimpleRoleGroup uses an ArrayList to maintain a unique set of roles. As a result it has to call ArrayList#contains a lot, which is itself O(n). In fact because that’s done when iterating over all the roles it becomes O(n^2). In our case our principals can have up to 200 roles. I don’t know if this is exceptionally many or a common case.

200 doesn't seem like so many. The "problem" often is that the term "role" makes people think they are only allowed to use it for things like "administrator" and "manager" and such. In that view 200 may be much.

But, nothing in Java EE security imposes this, and if you want to use roles with names like "can_see_updated_interest", then 200 is really nothing.

From the call stack, I guess this is triggered via @RolesAllowed on an EJB right?

Theoretically, this is where JACC could come in according to the Java EE standards. This would allow you to implement your own (optimized if necessary) logic for "is user/caller in role".

However despite being Java EE 7 certified, it seems it's not actually possible to install a JACC provider on JBoss. This is a bit of a spec hole, unfortunately. Most of the code seems to be there in JBoss (WildFly), but there's just no place where you can actually put your own JACC provider.

Kind regards,
Arjan Tijms