Our Application is running on Tomcat 8.5.11 with Java Security Manager. We
see a huge difference in performance dip with tomcat when Java security
manager is enabled. The test uses Jmeter and measures the throughput. Using
JVisualVM provided few bottlenecks in our application as well as with
Tomcat. Our application is around 5 times slow. Jvisualvm shows in each
thread the below call is taking around 70 percent of cpu time. I think this
is because the synchronized call made to AuthConfigFactory.getFactory()

When security manager is enabled tomcat most of the time spends
at AuthenticatorBase.getJaspicProvider() call. Looking at this piece of
code in Tomcat Github

private AuthConfigProvider getJaspicProvider() {
        AuthConfigProvider provider = jaspicProvider;
        if (provider == null) {
            provider = findJaspicProvider();
        if (provider == NO_PROVIDER_AVAILABLE) {
            return null;
        return provider;

private AuthConfigProvider findJaspicProvider() {
        AuthConfigFactory factory = AuthConfigFactory.getFactory()
        AuthConfigProvider provider = null;
        if (factory != null) {
            provider = factory.getConfigProvider("HttpServlet",
jaspicAppContextID, this);
        if (provider == null) {
            provider = NO_PROVIDER_AVAILABLE;
        jaspicProvider = provider;
        return provider;

The jaspicProvider variable is an instance variable i am assuming may be it
is getting created in each and every request (just my assumption).

Is it possible cache the AuthConfigFactory instance in the code
findJaspicProvider to improve the performance of tomcat with java security

Please let me know your inputs.


Reply via email to