PicketBox
  1. PicketBox
  2. SECURITY-734

Slow policy evaluation with a large number of policy sets

    Details

    • Type: Enhancement Enhancement
    • Status: Resolved Resolved (View Workflow)
    • Priority: Major Major
    • Resolution: Done
    • Affects Version/s: picketbox_xacml_2.0.8.Final
    • Component/s: None
    • Security Level: Public (Everyone can see)
    • Labels:
      None
    • Environment:
      RedHat Linux 6.0, WebSphere Application Server 7.0
    • Estimated Difficulty:
      Low
    • Similar Issues:
      Show 10 results 

      Description

      We suffer a performance problem in the evaluation of large XACML configuration. We use JBoss (Sun?) XACML library to process a large number of policy sets (over 2400 policy set files) using "deny-override" combining algorithm.

      Initially the number of policies was relatively small, but it increased with time, leading to performance degradation, with 100% CPU (single)core consumption.

      After running a code sample under Java profiler, we found that 99% of time is spent in method PolicySetFinderModule.findPolicy(URI, int, VersionConstraints, PolicyMetaData).

      This method walks through a list of AbstractPolicy objects, comparing an ID of each object with it's first argument. In our configuration the number of such objects is relatively large, leading to slow execution with high CPU consumption.

      We suggest replacing the list of AbstractPolicy with a HashMap. Our experiments show that total evaluation time reduces ~50 times with a HashMap over List implementation.

        Activity

        Hide
        Maxim Zinal
        added a comment -

        A small patch fixing performance problem

        Show
        Maxim Zinal
        added a comment - A small patch fixing performance problem
        Hide
        Anil Saldhana
        added a comment -

        Maxim Zinal please feel free to fork https://github.com/picketbox/security-xacml and submit a pull request.

        Show
        Anil Saldhana
        added a comment - Maxim Zinal please feel free to fork https://github.com/picketbox/security-xacml and submit a pull request.
        Hide
        Maxim Zinal
        added a comment -

        Created a pull request. How strange and ugly that git is, uh...
        Poor Linux developers.

        Show
        Maxim Zinal
        added a comment - Created a pull request. How strange and ugly that git is, uh... Poor Linux developers.
        Hide
        Anil Saldhana
        added a comment -

        Maxim Zinal I like github because contributions such as yours is easier to merge into the project. Thanks a lot for the contribution.

        Show
        Anil Saldhana
        added a comment - Maxim Zinal I like github because contributions such as yours is easier to merge into the project. Thanks a lot for the contribution.

          People

          • Assignee:
            Anil Saldhana
            Reporter:
            Maxim Zinal
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: