Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6990462

Overhead of code signers & protection domains

XMLWordPrintable

      CodeSigner objects and ProtectionDomain are used to ensure classes signed by other certificate can not be loaded for known package. This is achieved by associating some signers with the package and then rejecting attempts to load class if signers do not match. However, this seem to have significant cost - signers need to be created for each of the classes and then they need to be compared.

          In 6u14/15/18 we added functionality that returns null signer objects for FX runtime and that saved 5-10% of warm start time (100-150ms) for simple FX apps. Current workaround in the deployment code can not be extended to arbitrary apps because it is not secure for generic case.

          Reducing this overhead might be very helpful to improve startup experience of signed apps (popular in the enterprise).

            mullan Sean Mullan
            ksoshals Kirill Soshalskiy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: