Dear CXF Users, We are using CXF-STS implementation. The solution works great since many years and we are generally super-happy with it.
Since a couple of weeks we encountered an issue where a small percentage of our user get a timeout during validation of the SecurityToken-Call (Only for the Kerberos use case) If we do analyze the problem, we get the following method hotspot. (Within receive0JRE the call is stuck for sometimes minutes) PlainDatagramSocketImpl.receive0 | java.net ... AbstractPlainDatagramSocketImpl.receive | java.net DatagramSocket.receive | java.net UDPClient.receive | sun.security.krb5.internal KdcComm$KdcCommunication.run| sun.security.krb5 KdcComm$KdcCommunication.run | sun.security.krb5 AccessController.doPrivileged | java.security KdcComm.send | sun.security.krb5 KdcComm.sendIfPossible | sun.security.krb5 KdcComm.send | sun.security.krb5 KdcComm.send | sun.security.krb5 KrbAsReqBuilder.send | sun.security.krb5 KrbAsReqBuilder.action | sun.security.krb5 Krb5LoginModule.attemptAuthentication | com.sun.security.auth.module Krb5LoginModule.login | com.sun.security.auth.module DelegatingMethodAccessorImpl.invoke | sun.reflect Method.invoke | java.lang.reflect LoginContext.invoke | javax.security.auth.login LoginContext.access$ | javax.security.auth.login LoginContext$4.run | javax.security.auth.login LoginContext$4.run | javax.security.auth.login AccessController.doPrivileged | java.security LoginContext.invokePriv | javax.security.auth.login LoginContext.login | javax.security.auth.login KerberosTokenValidator.validate | org.apache.wss4j.dom.validate BinarySecurityTokenProcessor.handleToken | org.apache.wss4j.dom.processor WSSecurityEngine.processSecurityHeader | org.apache.wss4j.dom.engine WSS4JInInterceptor.handleMessageInternal | org.apache.cxf.ws.security.wss4j WSS4JInInterceptor.handleMessage | org.apache.cxf.ws.security.wss4j PolicyBasedWSS4JInInterceptor.handleMessage | org.apache.cxf.ws.security.wss4j PolicyBasedWSS4JInInterceptor.handleMessage | org.apache.cxf.ws.security.wss4j We believe this is network related (slow response time) Any idea how I can improve this ? Is it for instance possible to set a timeout and retry on on the KerberosTokenValidator.validate method? Or do you have any other suggestions? Best Regards Raggy
