[jboss-jira] [JBoss JIRA] (SECURITY-691) ACLContext reinitializing on every auth request

Erica Smith (JIRA) jira-events at lists.jboss.org
Tue Aug 14 23:01:14 EDT 2012 

     [ https://issues.jboss.org/browse/SECURITY-691?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Erica Smith updated SECURITY-691:
---------------------------------

           Description: 
Using: Picketbox ACL 3.0.0 Final
Running in JBoss AS 6.1.0 Final

Problem: The JBossACLContext reinitializes itself and its persistence strategy on every authorization request.

Steps to reproduce:

Configure role based ACL in the security domain, like so:
{quote}<acl>
	<acl-module code="org.jboss.security.acl.RoleBasedACLProviderImpl">
		<module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option>
	</acl-module>
</acl>{quote}

Initialize the security manager from initial context, like so:

{quote}manager  = (AuthorizationManager) new InitialContext().lookup("java:jaas/my-security-domain/authorizationMgr");{quote}

Add a set of testing permissions to the database.

Make a call to manager.authorize(Resource resource, Identity identity, Permission permission)


When the call comes through to JBossACLContext.authorize, the "initializeModules" function is called every time. This destroys any previously ACL providers and instantiates a new one, along with the required persistence strategy. This then results in several hibernate calls to validate the database structure. This provider *is* added to the context, but will only be used once. Any subsequent calls will cause the provider to be removed and re-added again.

This is causing all ACL permission checks to be painfully slow - no more than two or three checks a second - and needlessly database hungry.

It seems like the initialize code should return immediately if the module has already been initialized. This would save considerable time during the auth checks.

  was:
Picketbox ACL 3.0.0 Final
Running in JBoss AS 6.1.0 Final

    Steps to Reproduce:   (was: Configure role based ACL in the security domain, like so:
<acl>
	<acl-module code="org.jboss.security.acl.RoleBasedACLProviderImpl">
		<module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option>
	</acl-module>
</acl>

Initialize the security manager from initial context, like so:

manager  = (AuthorizationManager) new InitialContext().lookup("java:jaas/my-security-domain/authorizationMgr");

Add a set of testing permissions to the database.

Make a call to manager.authorize(Resource resource, Identity identity, Permission permission)


When the call comes through to JBossACLContext.authorize, the "initializeModules" function is called every time. This destroys any previously ACL providers and instantiates a new one, along with the required persistence strategy. This then results in several hibernate calls to validate the database structure. This provider *is* added to the context, but will only be used once. Any subsequent calls will cause the provider to be removed and re-added again.

This is causing all ACL permission checks to be painfully slow - no more than two or three checks a second - and needlessly database hungry.

It seems like the initialize code should return immediately if the module has already been initialized. This would save considerable time during the auth checks.)

    
> ACLContext reinitializing on every auth request
> -----------------------------------------------
>
>                 Key: SECURITY-691
>                 URL: https://issues.jboss.org/browse/SECURITY-691
>             Project: PicketBox (JBoss Security and Identity Management)
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>            Reporter: Erica Smith
>            Assignee: Anil Saldhana
>
> Using: Picketbox ACL 3.0.0 Final
> Running in JBoss AS 6.1.0 Final
> Problem: The JBossACLContext reinitializes itself and its persistence strategy on every authorization request.
> Steps to reproduce:
> Configure role based ACL in the security domain, like so:
> {quote}<acl>
> 	<acl-module code="org.jboss.security.acl.RoleBasedACLProviderImpl">
> 		<module-option name="persistenceStrategy">org.jboss.security.acl.JPAPersistenceStrategy</module-option>
> 	</acl-module>
> </acl>{quote}
> Initialize the security manager from initial context, like so:
> {quote}manager  = (AuthorizationManager) new InitialContext().lookup("java:jaas/my-security-domain/authorizationMgr");{quote}
> Add a set of testing permissions to the database.
> Make a call to manager.authorize(Resource resource, Identity identity, Permission permission)
> When the call comes through to JBossACLContext.authorize, the "initializeModules" function is called every time. This destroys any previously ACL providers and instantiates a new one, along with the required persistence strategy. This then results in several hibernate calls to validate the database structure. This provider *is* added to the context, but will only be used once. Any subsequent calls will cause the provider to be removed and re-added again.
> This is causing all ACL permission checks to be painfully slow - no more than two or three checks a second - and needlessly database hungry.
> It seems like the initialize code should return immediately if the module has already been initialized. This would save considerable time during the auth checks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list