In the current Kerberos implementation of Jgss, multiple DESCipher instances are created for each message token, which resulting to Jgss' very poor performance for processing short messages. Currently Jgss takes about 20ms to wrap/unwrap a message of a few bytes. Because GSSContext assumes external synchronization, and DESCipher instances can be re-initialized. Only one DESCipher instance is actually needed for a GSSContext. The proposed change is to instantiate a single instance of DESCipher for a GSSContext, and reuse it to process all message tokens processed by that GSSContext. Test shows that this change alone can improve jgss performance for short messages by a factor of 5 to 10.

A fix has been proposed, which include changes in the following two files:

sun/security/jgss/krb5/Krb5Context.java and
sun/security/jgss/krb5/MessageToken.java

The modified versions are attached.