[jboss-as7-dev] About the getSecurityManager() optimization
David M. Lloyd
david.lloyd at redhat.com
Mon Mar 4 10:03:40 EST 2013
I'm definitely interested in getting some real idea as to the runtime
cost of (a) these checks and (b) running under a secmgr. I know for
sure that (b) is nowhere near as great as I expected (though obviously
not free), due in part possibly to the Modules<->SM integration code and
Policy implementation which (I believe) enables certain fast-path
optimizations within AccessController.
I would also couple that outstanding question with my observation, based
on analyzing (and refactoring) all 300+ privileged blocks in the AS
codebase, that none of them are in request fast paths, apart from the
privileged action interceptors I just wrote (which would only be used to
replace the (theoretically) similarly expensive existing security
interceptors).
Overall I'd want to see hard numbers before I worry too much. As far as
SPECj goes, if it requires an EE-certified server configuration then it
may have to run under a security manager no matter what (this
configuration is required to be supported by EE 7 and might in turn be
required for apples-to-apples comparison with other servers). In this
case it's no longer a question of "do we do this optimization" and more
a question of "how can we make this as efficient as possible", which IMO
we should be asking anyway.
Based on the analysis I've done so far, I suspect the greater cost of
these doPrivileged calls is one-time class init and general GC load,
both of which I've mitigated really a lot in my security-utils patch
which removed hundreds of anonymous inner classes and replaced a bunch
of action objects with a handful of singletons. And I don't think we're
at the end of what we can do to improve things on this front either.
On 03/04/2013 08:49 AM, Andrig Miller wrote:
> This concerns me where our SPECjEnterprise2010 benchmarking efforts are concerned.
>
> At this point, we cannot afford anything that could degrade throughput and/or increase CPU utilization.
>
> Andy
>
> ----- Original Message -----
>> From: "David M. Lloyd" <david.lloyd at redhat.com>
>> To: "JBoss AS7 Development" <jboss-as7-dev at lists.jboss.org>
>> Sent: Monday, March 4, 2013 7:36:58 AM
>> Subject: [jboss-as7-dev] About the getSecurityManager() optimization
>>
>> We have, in our core code and frameworks, a few chunks of code like
>> this:
>>
>> if (getSecurityManager() == null) {
>> doSomePrivilegedThing();
>> } else {
>> AccessController.doPrivileged(new PrivilegedThingAction());
>> }
>>
>> The idea is that doPrivileged and the action GC load is a cost we
>> should
>> not pay if there's no security manager.
>>
>> There is a potential problem here though. It is possible to install
>> a
>> security manager after the server is started. While this may sound
>> like
>> an odd thing to do, we know that at least one third-party library
>> does
>> in fact install a security manager if you don't prevent it from doing
>> so. Furthermore, as we're required to support running under a
>> security
>> manager, we were talking about allowing the subsystem to install a
>> security manager during extension init instead of requiring it to be
>> sent in to the command at boot.
>>
>> The problem is that if you set a security manager during the window
>> between when the presence of a security manager is checked for, and
>> when
>> the privileged action runs, you run the risk of getting a random
>> SecurityException. We'll call this problem "the SM race".
>>
>> It seems to me that we have a few options for supporting running
>> under a
>> security manager:
>>
>> 1) Require it to be specified at boot (pass -secmgr to JBoss Modules
>> in
>> the start script)
>> 2) Let it be set by a security manager subsystem
>> 3) Just run with a security manager at all times
>>
>> Only #1 would allow the above optimization to work, and that's only
>> if
>> nobody else sets a security manager in the meantime.
>>
>> Given that fact, coupled with the observation that running under a
>> security manager does not appear to significantly impact server boot
>> time, I'm wondering if we should get rid of this optimization
>> wherever
>> it appears and just always use doPrivileged.
>>
>> Maybe once we see what kind of time impact -secmgr has on the test
>> suite, we'll know whether this is a reasonable course of action (I
>> would
>> expect the performance impact to be somewhere between running with
>> and
>> without a security manager for the non-SM case, and of course no
>> impact
>> for the SM case).
>> --
>> - DML
>> _______________________________________________
>> jboss-as7-dev mailing list
>> jboss-as7-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/jboss-as7-dev
>>
--
- DML
More information about the jboss-as7-dev
mailing list