7 Replies Latest reply on Mar 18, 2011 12:12 AM by jdiep

    Is XACML PDP Thread Safe?

    ffaure

      Hi all,

      This is my first post; sorry if it is too or not enough precise.
      I'm currently testing the JBoss XACML Implementation with the SAML Servlet enveloppe.
      I first simply deployed the SAML Servlet and the PDP with my own policies on a JBoss Server 4.2.3GA
      It was running fine (ie all my SAML requests were responding PERMIT or DENY appropriately) but the perf was very poor.
      I realized that the PDP was loading the policy files from disk for each request and that was the reason of bad perfs.
      Then, I modified the SOAPSAMLXACMLServlet to load the policies at start up (init method)

      The perf improved really significally. Unfortunately, I stress tested my configuration with SOAP UI and I got unattended results. I mean, some request that had always returned PERMIT were returning few times a DENY (about 1/1000 times).

      I added a synchronized block around the pdp call and the problem was fixed but again, the perf decreased...

      Have you ever seen a synchronization problem on JBoss PDP? Am I missing something?

      Many thanks in advance,

      Fred

        • 1. Re: Is XACML PDP Thread Safe?
          anil.saldhana

          What version of JBossXACML?

          Also are you referring to the SOAPSAMLXACMLServlet from JBoss Identity 1.0.0.alpha3?

          • 2. Re: Is XACML PDP Thread Safe?
            anil.saldhana

            http://snapshots.jboss.org/maven2/org/jboss/identity/jboss-identity-bindings/1.0.0.alpha3-SNAPSHOT/

            Can you use the snapshot jar and tell me how the performance is and the thread safety issue?

            The performance of the servlet needs to be improved because I am unsure whether we have optimal parsing yet.

            • 3. Re: Is XACML PDP Thread Safe?
              ffaure

               

              "anil.saldhana@jboss.com" wrote:
              What version of JBossXACML?

              Also are you referring to the SOAPSAMLXACMLServlet from JBoss Identity 1.0.0.alpha3?


              Hi Anil and thank you for your prompt response!

              I'm actually using jboss-xacml-2.0.3 and jboss-xacml-saml-2.0.3-aplha from JBoss Maven Repository.

              I had a look to the new version of your SAML Servlet and it is very similar to what I did to make it work (that is load the pdp at init and put a lock on evaluate() method).
              The performance is OK for the moment but this lock would be a bottleneck in case of huge load, wouldn't it?

              Whatever, regarding your solutions, I guess you confirm the PDP evaluate method is not thread safe? This is the most important to know for me as in my architecture, the PDP won't be used only through the SAML servlet but also through an EJB and other "clients" (Spring). I need to confirm if each PDP instance access has to be synchronized or not.

              Thanks again,

              Fred

              • 4. Re: Is XACML PDP Thread Safe?
                anil.saldhana

                Servlets are by nature multi threaded. The PDP evaluate method needs to be threadsafe. I will be making the change for a quick release of JBossXACMLv2.0.3.SP2 today.

                • 5. Re: Is XACML PDP Thread Safe?
                  ffaure

                   

                  "anil.saldhana@jboss.com" wrote:
                  Servlets are by nature multi threaded. The PDP evaluate method needs to be threadsafe. I will be making the change for a quick release of JBossXACMLv2.0.3.SP2 today.


                  Hi Anil,

                  Thanks again for the effort. I know that servlets are multi threaded. What I wanted to know was if the PDP evaluate method had to be threadsafe. I get the answer. I have to consider this for my various PDP clients.

                  Thanks a lot,

                  Fred

                  • 6. Re: Is XACML PDP Thread Safe?
                    anil.saldhana

                    http://www.jboss.org/jbosssecurity/downloads/JBoss%20XACML/?action=a&windowstate=maximized

                    Pick the JBossXACML v2.0.3.SP2 in about 10 minutes.

                    Fred, thanks for your questions. That got me thinking a bit.

                    I made the pdp.evaluate method thread safe by moving the lock there. I am going to remove the lock from the SOAPSAMLXACMLServlet as the pdp eval is thread safe.

                    Consulted some concurrency experts and they also feel that when the number of locks is small, the Lock construct is the most efficient for synchronization.

                    Also, pick up the JBoss Identity Bindings 1.0.0.alpha3-SNAPSHOT from the
                    http://snapshots.jboss.org/maven2/org/jboss/identity/jboss-identity-bindings/1.0.0.alpha3-SNAPSHOT/

                    So, two things for your performance tests - pick JBossXACML v2.0.3.SP2 and updated snapshot for JBoss Identity bindings. Tell me how good the thread safety is in your load test results.

                    Regarding improving the performance, currently we are validating the request while parsing. We can improve by providing an option to disable the validation while parsing.

                    • 7. Re: Is XACML PDP Thread Safe?
                      jdiep

                      Anil,

                       

                      Where do you set the option to disable the validation while parsing?

                       

                      Thanks,

                      Johnny