Hi, Right now it's not possible to set a timeout + retry on KerberosTokenValidator, but it would be pretty easy to retrofit it along these lines. Have you tried checking to see if there are any problems with your KDC under load?
Colm. On Thu, Feb 11, 2021 at 6:16 PM Raggy Fab <fabulous....@googlemail.com.invalid> wrote: > Dear CXF Users, > > We are using CXF-STS implementation. The solution works great since many > years and we are generally super-happy with it. > > Since a couple of weeks we encountered an issue where a small percentage of > our user > get a timeout during validation of the SecurityToken-Call (Only for the > Kerberos use case) > > If we do analyze the problem, we get the following method hotspot. > (Within receive0JRE the call is stuck for sometimes minutes) > > PlainDatagramSocketImpl.receive0 | java.net > ... > AbstractPlainDatagramSocketImpl.receive | java.net > DatagramSocket.receive | java.net > UDPClient.receive | sun.security.krb5.internal > KdcComm$KdcCommunication.run| sun.security.krb5 > KdcComm$KdcCommunication.run | sun.security.krb5 > AccessController.doPrivileged | java.security > KdcComm.send | sun.security.krb5 > KdcComm.sendIfPossible | sun.security.krb5 > KdcComm.send | sun.security.krb5 > KdcComm.send | sun.security.krb5 > KrbAsReqBuilder.send | sun.security.krb5 > KrbAsReqBuilder.action | sun.security.krb5 > Krb5LoginModule.attemptAuthentication | com.sun.security.auth.module > Krb5LoginModule.login | com.sun.security.auth.module > DelegatingMethodAccessorImpl.invoke | sun.reflect > Method.invoke | java.lang.reflect > LoginContext.invoke | javax.security.auth.login > LoginContext.access$ | javax.security.auth.login > LoginContext$4.run | javax.security.auth.login > LoginContext$4.run | javax.security.auth.login > AccessController.doPrivileged | java.security > LoginContext.invokePriv | javax.security.auth.login > LoginContext.login | javax.security.auth.login > KerberosTokenValidator.validate | org.apache.wss4j.dom.validate > BinarySecurityTokenProcessor.handleToken | org.apache.wss4j.dom.processor > WSSecurityEngine.processSecurityHeader | org.apache.wss4j.dom.engine > WSS4JInInterceptor.handleMessageInternal | org.apache.cxf.ws.security.wss4j > WSS4JInInterceptor.handleMessage | org.apache.cxf.ws.security.wss4j > PolicyBasedWSS4JInInterceptor.handleMessage | > org.apache.cxf.ws.security.wss4j > PolicyBasedWSS4JInInterceptor.handleMessage | > org.apache.cxf.ws.security.wss4j > > We believe this is network related (slow response time) > Any idea how I can improve this ? > Is it for instance possible to set a timeout and retry on on the > KerberosTokenValidator.validate method? > Or do you have any other suggestions? > > Best Regards > Raggy >
