[infinispan-issues] [JBoss JIRA] (ISPN-12126) Performance drop when using auth in REST
Gustavo Fernandes (Jira)
issues at jboss.org
Fri Jul 17 11:24:01 EDT 2020
[ https://issues.redhat.com/browse/ISPN-12126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gustavo Fernandes updated ISPN-12126:
-------------------------------------
Description:
Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler. This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and uses one child-channel per each simultaneous request/response pair (stream).
-One suggestion is to use {{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}} around the supported security realms to cache credentials for a configurable amount of time, or based on the number of credentials. This would also improve Hot Rod since the security realms are global-
EDIT: CachingSecurityRealm apparently only caches the credential lookup and not the validation which is very costly.
Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must send different headers every request time, so caching the header in the server will not work.
was:
Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler. This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and uses one child-channel per each simultaneous request/response pair (stream).
-One suggestion is to use {{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}} around the supported security realms to cache credentials for a configurable amount of time, or based on the number of credentials. This would also improve Hot Rod since the security realms are global-
EDIT: CachingSecurityRealm apparently only cache the credential lookup and not the validation which is very costly.
Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must send different headers every request time, so caching the header in the server will not work.
> Performance drop when using auth in REST
> ----------------------------------------
>
> Key: ISPN-12126
> URL: https://issues.redhat.com/browse/ISPN-12126
> Project: Infinispan
> Issue Type: Bug
> Components: REST, Security
> Affects Versions: 11.0.1.Final
> Reporter: Gustavo Fernandes
> Priority: Major
>
> Currently, the BASIC auth token is cached on a per-connection basis in the RestHandler. This works fine for HTTP/1 with keep-alive, but not for HTTP/2, because it multiplexes and uses one child-channel per each simultaneous request/response pair (stream).
> -One suggestion is to use {{[org.wildfly.security.auth.realm.CachingSecurityRealm|https://wildfly-security.github.io/wildfly-elytron/1.1.x/org/wildfly/security/auth/realm/CachingSecurityRealm.html]}} around the supported security realms to cache credentials for a configurable amount of time, or based on the number of credentials. This would also improve Hot Rod since the security realms are global-
> EDIT: CachingSecurityRealm apparently only caches the credential lookup and not the validation which is very costly.
> Regarding DIGEST authentication, due to the existence of the (client) nonce, clients must send different headers every request time, so caching the header in the server will not work.
>
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the infinispan-issues
mailing list