Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8043631

JEP 232: Improve Secure Application Performance

    Details

    • Author:
      Sean Mullan
    • JEP Type:
      Feature
    • Exposure:
      Open
    • Subcomponent:
    • Scope:
      Implementation
    • Discussion:
      security dash dev at openjdk dot java dot net
    • Effort:
      M
    • Duration:
      L
    • Alert Status:
       Green
    • JEP Number:
      232

      Description

      Summary

      Improve the performance of applications that are run with a security manager installed.

      Goals

      Gain a better understanding of the performance issues and implement enhancements that are demonstrated to improve performance. Subtasks will be created to evaluate and track each potential improvement.

      Non-Goals

      Improving performance is a desirable outcome, but this JEP will not commit to any specific metrics by which performance will improve.

      Motivation

      Improving the performance of applications run with a security manager has been requested by many developers using Java SE, Java EE, and related technologies. Although specific numbers are not confirmed and can vary depending on several factors, running a Java application with a security manager enabled has been known to cause a 10-15% performance degradation. Although some performance penalty is unavoidable, narrowing this performance gap has both performance and security benefits.

      Description

      We explored and implemented a number of optimizations and enhancements for improving the performance of applications that are run with a security manager installed. Some of these optimizations improved performance, while others did not. A few others were shown to have promise, but for various reasons will not be integrated as part of this JEP. New JBS issues were opened (if none previously existed) for each of the optimizations that were considered and micro-benchmarks were created using JMH.

      Optimizations

      Based on testing and community feedback, our primary focus area for improving performance was the enforcement of security policy and the evaluation of permissions. The permission classes and default JDK policy implementation are designed to be thread-safe. However, performance tests with multiple threads show that these classes are a hot spot. We implemented several improvements that improve throughput and reduce thread contention:

      1. Use ConcurrentHashMap to map ProtectionDomain to PermissionCollection
      2. SecureClassLoader should use a ConcurrentHashMap
      3. Remove Policy provider code that synchronizes on identityPolicyEntries List
      4. Store PermissionCollection entries in a ConcurrentHashMap instead of a HashMap in Permissions class
      5. Store permissions in concurrent collections in PermissionCollection subclasses

      We also improved performance in two other key areas:

      • We changed the hashCode method of java.security.CodeSource to avoid potentially expensive DNS lookups by using a string form of the codesource URL to compute the hash code. See JDK-6826789 for more information.

      • We enhanced the package checking algorithm of the checkPackageAccess method of java.lang.SecurityManager. See JDK-8072692 for more information.

      Testing

      Tests will be needed to measure performance before and after each potential optimization is applied. More than one test may need to be implemented to ensure proper code coverage, and to reflect different types of use cases. Profiling tools will be used to help identify areas of potential optimization. In addition, we will run the SPECjEnterprise benchmark to measure the performance impact of the optimizations on Java EE applications.

      Finally, each optimization will be measured across all supported JDK platforms in order to ensure that the results are consistently positive.

        Activity

        Hide
        mullan Sean Mullan added a comment -
        Changing the Scope from "SE" to "Implementation" since none of the proposed improvements require specification changes.
        Show
        mullan Sean Mullan added a comment - Changing the Scope from "SE" to "Implementation" since none of the proposed improvements require specification changes.

          People

          • Assignee:
            mullan Sean Mullan
            Reporter:
            mullan Sean Mullan
            Owner:
            Sean Mullan
            Reviewed By:
            Brian Goetz
            Endorsed By:
            Brian Goetz
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Due:
              Created:
              Updated:
              Resolved:
              Integration Due: