Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-734

Slow policy evaluation with a large number of policy sets

    Details

    • Type: Enhancement
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: picketbox_xacml_2.0.8.Final
    • Component/s: None
    • Labels:
      None
    • Environment:

      RedHat Linux 6.0, WebSphere Application Server 7.0

      Description

      We suffer a performance problem in the evaluation of large XACML configuration. We use JBoss (Sun?) XACML library to process a large number of policy sets (over 2400 policy set files) using "deny-override" combining algorithm.

      Initially the number of policies was relatively small, but it increased with time, leading to performance degradation, with 100% CPU (single)core consumption.

      After running a code sample under Java profiler, we found that 99% of time is spent in method PolicySetFinderModule.findPolicy(URI, int, VersionConstraints, PolicyMetaData).

      This method walks through a list of AbstractPolicy objects, comparing an ID of each object with it's first argument. In our configuration the number of such objects is relatively large, leading to slow execution with high CPU consumption.

      We suggest replacing the list of AbstractPolicy with a HashMap. Our experiments show that total evaluation time reduces ~50 times with a HashMap over List implementation.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                anil.saldhana Anil Saldanha
                Reporter:
                zinal Maxim Zinal
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: