[jboss-jira] [JBoss JIRA] (JBJCA-1156) encrypted datasource security , big performence hit.
John L (JIRA)
issues at jboss.org
Mon Mar 17 18:22:10 EDT 2014
[ https://issues.jboss.org/browse/JBJCA-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12953674#comment-12953674 ]
John L commented on JBJCA-1156:
-------------------------------
A complete pool definition we are using:
<datasource jta="false" jndi-name="java:/SomeDS"
pool-name="SomeDS" enabled="true" use-java-context="true" xmlns="urn:jboss:domain:datasources:1.1">
<connection-url>jdbc:jtds:sqlserver://localhost:1433/Some
</connection-url>
<driver>jtds</driver>
<new-connection-sql>select 1</new-connection-sql>
<transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>100</max-pool-size>
<prefill>false</prefill>
<use-strict-min>false</use-strict-min>
</pool>
<security>
<security-domain>some-encrypted-ds</security-domain>
</security>
</datasource>
<security-domain name="some-encrypted-ds" cache-type="default">
<authentication>
<login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
<module-option name="username" value="some"/>
<module-option name="password" value="34959585858585"/>
</login-module>
</authentication>
</security-domain>
Every connection retrieved from datasource via jndi lookup from pool
decrypts the password using blowfish even though the connection is already connected to db.
The blowfish decrypts adds up to a large performance hit.
> encrypted datasource security , big performence hit.
> ----------------------------------------------------
>
> Key: JBJCA-1156
> URL: https://issues.jboss.org/browse/JBJCA-1156
> Project: IronJacamar
> Issue Type: Bug
> Affects Versions: 1.0.12.Final
> Environment: using jboss 7.1.1 or jboss 7.1.3
> Reporter: John L
> Assignee: Jesper Pedersen
>
> We setup our jboss7.1.3 to use encrypted datasource passwords:
> <datasources>
> <datasource jndi-name="java:/SomDS" pool-name="SomeDS" enabled="true" use-java-context="true">
> .....
> <security>
> <security-domain>some-encrypted-ds</security-domain>
> </security>
> </datasource>
>
> ...
> <security-domain name="some-encrypted-ds" cache-type="default">
> <authentication>
> <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
> <module-option name="username" value="some"/>
> <module-option name="password" value="-......."/>
> </login-module>
> </authentication>
> </security-domain>
> By using this our system took a 30% performance hit.
> Some transactions might call getConnection 50 times.
> It seems from looking at code that even if a connection already exists in the pool the password is
> decrypted on every call to get a connection from the datasource.
> Seems like it should only decrypt when a new connection is created to the database.
> Moving back to unencrypted passwords solves the performance problem.
> That is using:
> <security xmlns="urn:jboss:domain:datasources:1.1">
> <user-name>xxx</user-name>
> <password>yyy</password>
> </security>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list