Just stabbing in the dark, but my hunch would be that you will want to find some way to keep from having to do 500000 iterations of the hash on every request. Going by the comments on AuthenticatingRealm[1], it might be worth looking at the second scenario in the Authentication Caching section. A scheme I would think is to ultimately store the passwords as the highly hashed versions, but somehow keep a plaintext in the cache, where you know the cache will never spill out to anywhere else. (Or, alternatively, a slightly less hashed version.)
Before trying anything complicated, I would make passwords that are not as highly iterated in the hashing to see if that ramps you back down in the cpu usage. Otherwise, everything I just said is pointless. :) [1] http://shiro.apache.org/static/current/apidocs/org/apache/shiro/realm/AuthenticatingRealm.html On Thu, Nov 7, 2013 at 1:42 PM, saadmufti <[email protected]> wrote: > Hi, > > I'm running a REST API on a quad-core CPU box and when I turn on Shiro > authentication, the CPU's get maxed out pretty quickly. The main load is > calls to the API /v1/selection as can be seen in the [urls] section below. > Turn auth off and CPU utilization is very small. Reading through > documentation, I thought turning on authentication caching was the key, but > I have tried both the built in EhCacheManager and > MeoryConstrainedCacheManager but it hasn't made any difference. I would > appreciate any feedback, here is my shiro.ini file: > > [main] > passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher > ;cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager > cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager > securityManager.cacheManager = $cacheManager > iniRealm.credentialsMatcher = $passwordMatcher > iniRealm.authenticationCachingEnabled = true > ; TODO - enable ssl filter for real deployment > ssl.enabled = false > > [users] > admin = > > $shiro1$SHA-256$500000$o51Hv+79zLxE02waEHUCAg==$AE6rpoSmI1DmI0KTL0EUt/vU0IkhXCh3l0/8hN5Epvc=, > admin > BeOn = > > $shiro1$SHA-256$500000$yM3AZt2x3Ak0rKY+DGJSBA==$jqW+7W3wYd4LVcN9zFA5B40ElLsN/C1TKPXXH38SvRQ=, > BeOn_update, BeOn_read > > [roles] > admin = * > aolupdate = > > selection:aol:update,collection:aol:update,partition:aol:update,promotion:aol:update,algorithm:aol:update > aolread = > > selection:aol:read,collection:aol:read,partition:aol:read,promotion:aol:read,algorithm:read,algorithm:aol:read > BeOn_update = > > selection:BeOn:update,collection:BeOn:update,partition:BeOn:update,promotion:BeOn:update,algorithm:BeOn:update > BeOn_read = > > selection:BeOn:read,collection:BeOn:read,partition:BeOn:read,promotion:BeOn:read,algorithm:read,algorithm:BeOn:read > > [urls] > /v1/collection = ssl, noSessionCreation, authcBasic > /v1/collection/ = ssl, noSessionCreation, authcBasic > /v1/partition = ssl, noSessionCreation, authcBasic > /v1/partition/ = ssl, noSessionCreation, authcBasic > /v1/algorithm_config = ssl, noSessionCreation, authcBasic, rest[algorithm] > /v1/algorithm_config/* = ssl, noSessionCreation, authcBasic, > rest[algorithm] > /v1/algorithm_config/*/ = ssl, noSessionCreation, authcBasic, > rest[algorithm] > /v1/algorithm_config/*/BeOn/** = ssl, noSessionCreation, authcBasic, > rest[algorithm:BeOn] > /v1/selection/BeOn/** = ssl, noSessionCreation, authcBasic, > rest[selection:BeOn] > /v1/collection/BeOn/** = ssl, noSessionCreation, authcBasic, > rest[collection:BeOn] > > Thanks in advance for any help and/or insight. > > ---- > Saad > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Shiro-Auth-On-REST-API-Killing-CPU-tp7579340.html > Sent from the Shiro User mailing list archive at Nabble.com. >
