[jboss-jira] [JBoss JIRA] (SECURITY-864) NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration
Martin Letenay (JIRA)
issues at jboss.org
Thu Oct 27 06:30:00 EDT 2016
[ https://issues.jboss.org/browse/SECURITY-864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13312864#comment-13312864 ]
Martin Letenay commented on SECURITY-864:
-----------------------------------------
We have faced this problem after upgrade from JBoss 7.1 to Wildfly 9.
However, it is not only cosmetic but has severe negative performance implications.
Our application is EJB invocation intensive (invokes various EJB calls tens or hundreds times) and the performance after switch from 7.1 to 9.0 was 10 times slower !
>From the picketbox code inspection it seems the {{EJBAuthorizationHelper}} is trying to pass the {{PolicyRegistration}} instance into the underlying {{AuthorizationModuleDelegate}} during every EJB method invocation authorization phase.
However, the {{PolicyRegistration}} seems to be relevant only for XACML security configurations.
For plain Delegate or JACC authorization modules the {{PolicyRegistration}} is never used (and never created).
When e.g. JACC authorization is used, the (unsuccessful) JNDI lookup is performed for each and every (secured) EJB invocation and it results in unnecessary performance degradation.
We couldn't find anywhere in the documentation or the code where the PolicyRegistration si being put into the JNDI tree.
Since we're using custom LoginModule implementation, we have developed a temporary workaround that during initialization of JAAS LoginModule we check the existence of the {{java:/policyRegistration}} JNDI resource and if it is missing (actually always), we instantiate the {{org.jboss.security.plugins.JBossPolicyRegistration}} and bind it into JNDI tree.
After this workaround, the performance of our application went back to normal times as of JBoss 7.1, i.e. nearly 10 times faster.
It would be really nice to have this issue resolved properly (e.g. by storing negative JNDI lookup or registering the policy also for Delegate/JACC modules).
> NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration
> -------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-864
> URL: https://issues.jboss.org/browse/SECURITY-864
> Project: PicketBox
> Issue Type: Bug
> Components: PicketBox
> Reporter: Chao Wang
> Assignee: Stefan Guilhen
>
> "NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration" is recorded in server.log during quickstart example run by changing log level:
> {noformat}
> <logger category="org.jboss.as.security">
> <level name="TRACE"/>
> </logger>
> <logger category="org.jboss.security">
> <level name="TRACE"/>
> </logger>
> {noformat}
> See detailed description in community discussion [#907134|https://developer.jboss.org/message/907134]
> I choose Jira component picketbox since the exception is titled as "PBOX000293: Exception caught: javax.naming.NameNotFoundException"
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
More information about the jboss-jira
mailing list