JDK-7152564 : Improve CodeSource.matchLocation(CodeSource) performance
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 6
- Priority: P2
- Status: Resolved
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2012-03-09
- Updated: 2017-05-17
- Resolved: 2012-04-20
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 | JDK 7 | JDK 8 |
|---|---|---|
| 6u31-revFixed | 7u6Fixed  |
8Fixed |
Related Reports
|
Relates :
|
|
|
Relates :
|
|
|
Relates :
|
Description
SHORT SUMMARY: Improve CodeSource.matchLocation(CodeSource) performance INDICATORS: Large java.policy files which means some grant rules are subject to DNS and rDNS calls which may be unnecessary. COUNTER INDICATORS: TRIGGERS: Large java policy rules or poor DNS/rDNS performance KNOWN WORKAROUND: Seperate java policy files into smaller subfiles (per applet approach) or sign applets to allow them run outside security sandbox. Cu was not able to make suggested changes. PRESENT SINCE: FCS HOW TO VERIFY: Load a simple applet while also have a large number of rules in .java.policy. Cu sample policy file included in bugDB report. e.g load http://java.sun.com/applets/jdk/1.3/demo/applets/Clock/example1.html and see the performance delay for applet start time. Wireshark shows a series of DNS calls being made which should be avoided with proposed fix *if* .java.policy updated to have better URL paths (more specific to each app instead of make rule that contains root of server as URL codebase. NOTES FOR SE: Latest update to services : (see bugDB for full report) I've a proposed patch under review with Dev engineers at moment. It optimizes the performance of CodeSource.matchLocation(CodeSource) method. With patch rDNS request is last resort to help JRE determine if two URLs match. The two URLS under comparison are the host URL (of applet) and the various grant codeBase URLS in the Cu's policy file. The JRE needs to determine if any of them are a match and hence the DNS/rDNS requests. If we can determine for any reason before DNS lookup that the CodeSources won't match, then matchLocation should return false. Mismatches occur when any of following conditions are met : if protocols doesn't match; if URL path doesn't match; if URL anchor doesn't match; if HostUnknown; if URL1 != URL2 (rDNS used to test all various IPs) The new patch means we avoid DNS if URL paths don't match. Cu will need to implement change on their side though in order to have benefits from this. Take for example a grant codeBase URL of "http://mvsdev.corpny.csfb.com/-" and a host URL of "http://myserver.oracle.com/apps/" Since the policy rule codeBase is recursive, it means DNS is involved since we need to determine if the hosts are equal. *however* if grantCode base was change to something more specific like : "http://mvsdev.corpny.csfb.com/appStore/-" then no DNS is now involved. The URLS can never match. i.e "appStore" != "apps" Hopefully Cu can implement such a change on their end. In the meantime, I'll continue patch review with Dev and hope to get a fix verification binary to you in next 1-2 days. REGRESSION: No.
Comments
|