1 Reply Latest reply on Nov 19, 2015 3:27 AM by rockets

Performance of datasource decryption in JBoss 7/EAP 6.3

rockets Nov 18, 2015 3:57 AM

Hi All,

Is there a way to cache subject to avoid authentication on data source's security domain?

I have custom login module in security domain for database password protection.

The custom login module query secret key form specified key store to decrypt database's password, and the key store access password is also in a text file.

I found the performance is poor since the decryption take 100ms.

I want to cache authenticated user and password in subject or shared state, but I found the subject/shared state contain nothing since the login module is initialized every time.

My questions are :

a) Can I cache authenticated user and decrypted password to avoid decrypting password when every login time

b) Can I cache something in login module, e.g. key store access password or secret key

Is there someone can help me? stuck with this for long time. thanks in advance.

follow is my configuration:

<xa-datasource enabled="true" jndi-name="java:/ReformDS" pool-name="ReformDS" use-ccm="true" use-java-context="true">
       <xa-pool>
          <min-pool-size>10</min-pool-size>
             <max-pool-size>30</max-pool-size>
             <prefill>true</prefill>
             <use-strict-min>true</use-strict-min>
             <is-same-rm-override>false</is-same-rm-override>
             <no-tx-separate-pools>true</no-tx-separate-pools>
         </xa-pool>
            <xa-datasource-property name="url">jdbc:simon:oracle:thin:@172.20.20.83:1521:test112</xa-datasource-property> 
            <xa-datasource-property name="realDataSourceClassName">oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-property>
            <driver>reform-driver</driver>
            <security>         
                    <security-domain>ReformDBPasswordSecurityDomain</security-domain>
            </security>
       <validation>
          <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
             <validate-on-match>false</validate-on-match>
             <background-validation>false</background-validation>
             <use-fast-fail>false</use-fast-fail>
             <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
             <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
         </validation>
</xa-datasource>

<security-domain cache-type="default" name="ReformDBPasswordSecurityDomain">
       <authentication>
            <login-module code="com.xxx.security.auth.SecureIdentityLoginModule" flag="required" module="com.xxx.security">
                 <module-option name="username" value="reform_release"/>
                 <module-option name="password" value="B7E86815B0B88BCED2F3D298F3EE1349"/>
                 <module-option name="keyStoreUrl" value="${jboss.server.config.dir}/reformconf/test.JCEKS"/>
                 <module-option name="keyStorePasswordStrategy" value="FILE"/>
                 <module-option name="keyStorePasswordStrategy-file" value="D:\reform-dev\PasswordFileName.txt"/>
                 <module-option name="secretKeyAlias" value="TestAlias"/>
                 <module-option name="cipherAlgorithm" value="AES"/>

            </login-module>
       </authentication>
  </security-domain>

1. Re: Performance of datasource decryption in JBoss 7/EAP 6.3

rockets Nov 19, 2015 3:27 AM (in response to rockets)

It's a defect with picketbox-infinispan-4.0.19.SP4-redhat-1.jar in JBOSS EAP 6.3 Alpha
It had been fixed on picketbox-infinispan-4.0.19.SP6.jar.
Bug 1069885 – [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the …
Actions