On 04/25/2014 09:36 AM, Sean Mullan wrote:
Please review a draft of a proposed research JEP to improve the
performance of the Security Manager:
http://cr.openjdk.java.net/~mullan/jeps/Improve-Security-Manager-Performance.00
I am particularly interested in any experience you have measuring or
profiling the performance of your code when run with a Security Manager,
and any potential ideas for optimizations that you may have.
It occurs to me that there is also another axis along which SM
performance might be improved. The first part is clearly making the
various stages of permission checking, access control context
acquisition, etc. all more efficient, as previously discussed, but
another thing worth looking at is examining and reducing the number of
permission checks and privileged actions actually required by a typical
application.
For example, most commonly, the privileged actions in our code bases are
doing things like:
1. Getting a class loader for a class
2. Getting and (less commonly) setting system properties
3. Getting environment properties
4. Making reflection objects accessible
The permission checks for all of these actions could be hoisted to
dedicated object classes which perform the action, where the permission
is actually checked when the object instance is acquired. For example:
public final class ClassClassLoaderAccessor {
[...]
public static ClassClassLoaderAccessor getInstance() {
System.getSecurityManager().checkPermission(CLASS_LOADER_PERMISSION);
return INSTANCE;
}
public ClassLoader getClassLoader(Class<?> clazz) {
// bypass security check (this is a contrived example)
return clazz.classLoader;
}
}
The exact mechanism would necessarily be JDK specific - especially if
these classes would reside in separate packages from their related
functionality - but the point is that the permission check only happens
once, and the object could then be efficiently utilized in a tight loop.
We use a similar pattern in a few places where permission checks are
done, and it seems to work adequately. The command object instance can
easily be placed into a non-public static final field for convenient access.
--
- DML
