Massive performance loss for JSF on glassfish4 with security manager
While doing an upgrade of our quality testing server from glassfish 18.104.22.168 to glassfish 4 I noticed a considerable (and untollerable) performance drop for one of our JSF applications. The server (or to be precise the production system which is staged by this server) is primarly used to provided webservices, but one application using JSF with primefaces is hosted there also.
While tracking this down I found the problematic switch: I have the security manager activated and his caused the response time to increase tenfold. To be precise (both times taken after inital warmup):
Response time (without security manager): ~ 300ms
Response time (with security manager): ~3000ms
The response time glassfish 22.214.171.124 (with security manager) was in the range of glassfish 4 for the case without security manager.
This is only reproducible, when I enable a message authentication modules (glassfish-web.xml => httpservlet-security-provider). That module was written by me and is the same in glassfish 3 and 4. The authentication module is used to enable kerberos authentication. From testing with debugging enable (I sprinkled some break points into the authentication module and the ServletFilter mentioned below) the time is not spend in the authentication module itself.
I tested with the file realm and that is fast (no noticable increase in response time between the security manager and non security manager case). From tracking the control flow (breakpoints) and using a ServletFilter I see, that the time is used while processing the request (I'll asume, that the servletfilter ist processed after the authentication modules).
From my observervation the call sequence is:
1. Authentication module
2. Filter modules
3. The servlet itself
For the second stage I had a breakpoint before and after doFilter and got a time difference, that matched the above mentioned response times. I tried to get a profile, but either I got me not enougth information (sampled) or it slowed the application into crawling (instrumented).
I tried putting a grant clause with AllPermission (just to check whether some denied permission triggers further checks) but this did not help.
I tried exchanging the mojarra version (I had installed 2.2.5 to test) - no changes.
I also tried the module with a _much_ simpler page and that looks to be fast - BUT the test case was just some textfield, a command button and ol4jsf. The problem above originates from a primefaces using page (3 datatables - all in ~ 10 rows filled, ~ 9 Inputforms (dialogs)). I tried to make the page smaller and got some way, but in any case, this is not as complex so that it is ok to take that long!
So currently glassfish 4 is a no-go for this case - does anyone see a similar case or can advice where to look deeper (some more sensible profiling?).
I'd appreciate ideas! Thank you in advance.