1 Reply Latest reply on Nov 19, 2015 3:27 AM by Lowry Cui

    Performance of datasource decryption in JBoss 7/EAP 6.3

    Lowry Cui Newbie

      Hi All,

       

      Is there a way to cache subject to avoid authentication on data source's security domain?

       

      I have custom login module in security domain for database password protection.

      The custom login module query secret key form specified key store to decrypt database's password, and the key store access password is also in a text file.

      I found the performance is poor since the decryption take 100ms.

      I want to cache authenticated user and password in subject or shared state, but I found the subject/shared state contain nothing since the login module is initialized every time.

      My questions are :

           a) Can I cache authenticated user and decrypted password to avoid decrypting password when every login time

           b) Can I cache something in login module, e.g. key store access password or secret key

       

      Is there someone can help me?  stuck with this for long time. thanks in advance.

       

      follow is my configuration:

      <xa-datasource enabled="true" jndi-name="java:/ReformDS" pool-name="ReformDS" use-ccm="true" use-java-context="true">
             <xa-pool>
                <min-pool-size>10</min-pool-size>
                   <max-pool-size>30</max-pool-size>
                   <prefill>true</prefill>
                   <use-strict-min>true</use-strict-min>
                   <is-same-rm-override>false</is-same-rm-override>
                   <no-tx-separate-pools>true</no-tx-separate-pools>
               </xa-pool>
                  <xa-datasource-property name="url">jdbc:simon:oracle:thin:@172.20.20.83:1521:test112</xa-datasource-property> 
                  <xa-datasource-property name="realDataSourceClassName">oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-property>
                  <driver>reform-driver</driver>
                  <security>         
                          <security-domain>ReformDBPasswordSecurityDomain</security-domain>
                  </security>
             <validation>
                <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
                   <validate-on-match>false</validate-on-match>
                   <background-validation>false</background-validation>
                   <use-fast-fail>false</use-fast-fail>
                   <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
                   <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
               </validation>
      </xa-datasource>
      
      

       

      <security-domain cache-type="default" name="ReformDBPasswordSecurityDomain">
             <authentication>
                  <login-module code="com.xxx.security.auth.SecureIdentityLoginModule" flag="required" module="com.xxx.security">
                       <module-option name="username" value="reform_release"/>
                       <module-option name="password" value="B7E86815B0B88BCED2F3D298F3EE1349"/>
                       <module-option name="keyStoreUrl" value="${jboss.server.config.dir}/reformconf/test.JCEKS"/>
                       <module-option name="keyStorePasswordStrategy" value="FILE"/>
                       <module-option name="keyStorePasswordStrategy-file" value="D:\reform-dev\PasswordFileName.txt"/>
                       <module-option name="secretKeyAlias" value="TestAlias"/>
                       <module-option name="cipherAlgorithm" value="AES"/>
      
                  </login-module>
             </authentication>
        </security-domain>