[wildfly-dev] SimpleRoleGroup#roles
arjan tijms
arjan.tijms at gmail.com
Mon Jun 8 06:08:57 EDT 2015
Hi,
On Mon, Jun 8, 2015 at 8:25 AM, Philippe Marschall <kustos at gmx.net> wrote:
> Hi
>
> I’m aware this may no technically be the right list to discuss this but
> this list is impacted by this and fairly active.
>
> During load testing of our application we found a case we spend 10% of
> your CPU time in SimpleRole#equals (see attachment). This is because
> SimpleRoleGroup uses an ArrayList to maintain a unique set of roles. As a
> result it has to call ArrayList#contains a lot, which is itself O(n). In
> fact because that’s done when iterating over all the roles it becomes
> O(n^2). In our case our principals can have up to 200 roles. I don’t know
> if this is exceptionally many or a common case.
>
200 doesn't seem like so many. The "problem" often is that the term "role"
makes people think they are only allowed to use it for things like
"administrator" and "manager" and such. In that view 200 may be much.
But, nothing in Java EE security imposes this, and if you want to use roles
with names like "can_see_updated_interest", then 200 is really nothing.
>From the call stack, I guess this is triggered via @RolesAllowed on an EJB
right?
Theoretically, this is where JACC could come in according to the Java EE
standards. This would allow you to implement your own (optimized if
necessary) logic for "is user/caller in role".
However despite being Java EE 7 certified, it seems it's not actually
possible to install a JACC provider on JBoss. This is a bit of a spec hole,
unfortunately. Most of the code seems to be there in JBoss (WildFly), but
there's just no place where you can actually put your own JACC provider.
Kind regards,
Arjan Tijms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20150608/30974861/attachment.html
More information about the wildfly-dev
mailing list