Two things:
1) Cache the JAXBContext. Creating a JAXBContext is very expensive and slow
as it involves scanning packages, annotations, etc…. Create that once.
2) unmarshalling from an InputStream is also very expensive as it needs to
create a SAX Parser which involves the SPI lookup mechanism as well as several
System.getProperties calls which can kill scalability. Also note that this
opens up the door to various attacks as that SAX parser is not configured to
block various things.
If you can, do something like:
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
Boolean.FALSE);
factory.setXMLResolver(new XMLResolver() {
public Object resolveEntity(String publicID, String systemID,
String baseURI, String namespace)
throws XMLStreamException {
throw new XMLStreamException("Reading external entities is
disabled");
}
});
then cache that factory along with your JAXBContext. Then do:
unmarshaller.unmarshall(factory.createXMLStreamReader(inputStream));
That will perform a ton better and be significantly more secure. If the
factory is the woodstox factory (which you REALLY should use as it’s much
faster than the one built into the JDK), then also add:
factory.setProperty("com.ctc.wstx.maxAttributesPerElement", maxAttributeCount)
factory.setProperty("com.ctc.wstx.maxAttributeSize", maxAttributeSize)
factory.setProperty("com.ctc.wstx.maxChildrenPerElement",
innerElementCountThreshold)
factory.setProperty("com.ctc.wstx.maxElementCount", maxElementCount)
factory.setProperty("com.ctc.wstx.maxElementDepth", innerElementLevelThreshold)
factory.setProperty("com.ctc.wstx.maxCharacters", maxXMLCharacters)
factory.setProperty("com.ctc.wstx.maxTextLength", maxTextLength))
with reasonable values for those settings. That would prevent a slew of
various DOS attacks as well as can help reduce some of the memory usage.
Dan
> On Dec 18, 2014, at 9:28 AM, R V Ramakrishna <[email protected]> wrote:
>
> JB,
>
> The way we do unmarshalling is
>
> JAXBContext jc;
> jc = JAXBContext.newInstance(Class.forName(resObject
> .getClass().getName()));
> Unmarshaller unmarshaller;
> unmarshaller = jc.createUnmarshaller();
>
> unmarshaller.setSchema(schema);
> resObject = (Resource) unmarshaller.unmarshal(inputStream);
>
> We use Java JAXB..not servicemix implementation. Actually the code is not
> written by me, done by some other team and its a huge code. Looking at
> higher level of source i can say this Jaxb unmarshaller has been called in
> many bundles explicitly. Any way that we can get rid of this through some
> configurations. I have sent one more set of test results that I did today
> morning to you, around an hour back.
>
> Thanks,
> RK
>
>
>
>
> --
> View this message in context:
> http://karaf.922171.n3.nabble.com/Karaf-runs-slower-in-Intel-Socx-1000-board-tp4037286p4037303.html
> Sent from the Karaf - Dev mailing list archive at Nabble.com.
--
Daniel Kulp
[email protected] - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com
