On Tue, Nov 21, 2017 at 5:41 AM, Alan Bateman <alan.bate...@oracle.com> wrote: > On 21/11/2017 00:48, David Lloyd wrote: >> >> One thing that springs to mind. Some allowance would have to be made >> for domain combiners and JAAS Subject propagation: this mechanism also >> uses access control contexts, to its own great detriment. > > Are you thinking about usages where there is no security manager but > AccessController.checkPermission is still used to check permissions?
Not specifically; I'm thinking more of the general problem of Subject association. Calling Subject#doAs*() has a heavy cost, as does Subject#getSubject(). I believe that most container vendors who use JAAS for authentication therefore provide an alternative association API using thread-locals. > In terms of performance the main interest here is the "no security manager" > case. If you have prototypes that moving the stack walking and help the > security manager case then I expect the folks here will be interested. I think that the main benefit of this suggested approach is in fact that it should reduce the cost of the "no security manager" case. Maybe if I get some time over the upcoming holidays I'll give it a spin and see how it goes. -- - DML
