-
1. Re: Using custom security domain to use encrypted password
peterj Jul 25, 2008 11:21 AM (in response to priyankalavti)Did you set min-pool-size in the *-ds.xml file? If not, try setting is to the number of simultaneous connections that you expect to have and see if that reduces the time.
-
2. Re: Using custom security domain to use encrypted password
vickyk Jul 28, 2008 1:44 AM (in response to priyankalavti)"priyankalavti" wrote:
Problem:
By going thru the custom login module, JBoss JCA takes ~25 milliseconds to return the connection. And this 25 milliseconds doesn't count the time to call password manager. But if I don't use cleartext password, it takes hardly 1 millisecond.
Give us the evidence , we need log details which will indicate what you claim . -
3. Re: Using custom security domain to use encrypted password
priyankalavti Jul 29, 2008 4:05 AM (in response to priyankalavti)here are the logs after enabling trace on the server.
Please notice the time difference of colored logs.
2008-07-25 16:40:34,369 INFO [STDOUT] Entering getDbConnection method
2008-07-25 16:40:34,370 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=id=admin,ou=user,dc=test,dc=com
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] destroy, subject=Subject:
Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
, this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275], activeUsers=0
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager$DomainInfo] logout, subject=Subject:
Private Credential: javax.resource.spi.security.PasswordCredential@1ab2f
, this=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@15e5335[Subject(7975210).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
2008-07-25 16:40:34,370 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] getIdentity called, username=testuser
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Begin isValid, principal:id=admin,ou=user,dc=test,dc=com, cache info: null
2008-07-25 16:40:34,370 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, principal=id=admin,ou=user,dc=test,dc=com
2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(EncryptDBPassword), size=10
2008-07-25 16:40:34,397 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(EncryptDBPassword), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.test.security.jboss.loginmodule.DatabaseSecureLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=managedConnectionFactoryName, value=jboss.jca:name=testjndi,service=LocalTxCM
name=password, value=TESTUSER_KEY
name=username, value=testuser
2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.AbstractPasswordCredentialLoginModule1] mcfname: jboss.jca:name=testjndi,service=LocalTxCM
2008-07-25 16:40:34,398 TRACE [org.jboss.resource.security.SecureIdentityLoginModule1] login called
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] defaultLogin, lc=javax.security.auth.login.LoginContext@1d71519, subject=Subject(27927662).principals=
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] updateCache, inputSubject=Subject(27927662).principals=, cacheSubject=Subject(20835342).principals=
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@54b8e7[Subject(20835342).principals=,credential.class=java.lang.String@4337374,expirationTime=1216984219275]
2008-07-25 16:40:34,399 TRACE [org.jboss.security.plugins.JaasSecurityManager.EncryptDBPassword] End isValid, true
2008-07-25 16:40:34,399 INFO [STDOUT] time taken in getDbConnection in millis...30
Regards,
Priyanka -
4. Re: Using custom security domain to use encrypted password
priyankalavti Jul 29, 2008 4:13 AM (in response to priyankalavti)I am using MySQL database.
The mysql-ds.xml looks like:<local-tx-datasource> <jndi-name>testjndi</jndi-name> <connection-url>jdbc:mysql://localhost:3306/</connection-url> <security-domain>EncryptDBPassword</security-domain> <driver-class>org.gjt.mm.mysql.Driver</driver-class> <!--pooling parameters--> <min-pool-size>5</min-pool-size> <max-pool-size>100</max-pool-size> <blocking-timeout-millis>5000</blocking-timeout-millis> <idle-timeout-minutes>15</idle-timeout-minutes> </local-tx-datasource>
The application policy entry of login-config.xml looks like:<application-policy name="EncryptDBPassword"> <authentication> <login-module code="com.test.security.jboss.loginmodule.DatabaseSecureLoginModule" flag="required"> <module-option name="username">testuser</module-option> <module-option name="password">TESTUSER_KEY</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:name=testjndi,service=LocalTxCM</module-option> </login-module> </authentication> </application-policy>
Regards,
Priyanka -
5. Re: Using custom security domain to use encrypted password
balajisaranath Jul 31, 2008 12:02 AM (in response to priyankalavti)Hi,
This issue has been fixed (atleast for us) using the Caching policies. WE had a DefaultCacheTimeOut of "0" which meant the authenticate() was called everytime in the following piece of code. of the authentication.
The latency that was a problem for us in our design was the authenticate() that created DefaultLoginConfig using reflection. A few milliseconds extra but on a real time server , it was a major impact for us.
Thanks
BalaCode snippet from the Jboss source code (JaasSecurityManager) public boolean isValid(Principal principal, Object credential, Subject activeSubject) { // Check the cache first DomainInfo cacheInfo = getCacheInfo(principal, true); if( trace ) log.trace("Begin isValid, principal:"+principal+", cache info: "+cacheInfo); boolean isValid = false; if( cacheInfo != null ) { isValid = validateCache(cacheInfo, credential, activeSubject); if( cacheInfo != null ) cacheInfo.release(); } if( isValid == false ) isValid = authenticate(principal, credential, activeSubject); if( trace ) log.trace("End isValid, "+isValid); return isValid; }