JDK-6990462 : Overhead of code signers & protection domains
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P2
  • Status: Resolved
  • Resolution: Won't Fix
  • OS: windows
  • CPU: x86
  • Submitted: 2010-10-07
  • Updated: 2024-04-12
  • Resolved: 2014-06-06
Related Reports
Relates :  
JDK-7012160 - read SF file in signed jar in streaming mode
Relates :  
JDK-6990459 - Overhead of loading certificates
Description
CodeSigner objects and ProtectionDomain are used to ensure classes signed by other certificate can not be loaded for known package. This is achieved by associating some signers with the package and then rejecting attempts to load class if signers do not match. However, this seem to have significant cost - signers need to be created for each of the classes and then they need to be compared.

    In 6u14/15/18 we added functionality that returns null signer objects for FX runtime and that saved 5-10% of warm start time (100-150ms) for simple FX apps. Current workaround in the deployment code can not be extended to arbitrary apps because it is not secure for generic case.

    Reducing this overhead might be very helpful to improve startup experience of signed apps (popular in the enterprise).
Comments
There is not enough data in the original request to evaluate the issue. If this is still a problem in the future, please open a new issue with more details.
06-06-2014
There is not enough time to address this in JDK 8, will look at it for JDK 9.
19-08-2013