Re: [aspectj-users] PerClauses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [aspectj-users] PerClauses

From: "Ron Bodkin" <rbodkin@xxxxxxxxxxx>
Date: Mon, 18 Aug 2003 20:43:22 -0700
Delivered-to: aspectj-users@xxxxxxxxxxx
List-archive: <http://dev.eclipse.org/pipermail/aspectj-users/>
List-help: <mailto:aspectj-users-request@eclipse.org?subject=help>
List-subscribe: <http://dev.eclipse.org/mailman/listinfo/aspectj-users>, <mailto:aspectj-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <http://dev.eclipse.org/mailman/listinfo/aspectj-users>, <mailto:aspectj-users-request@eclipse.org?subject=unsubscribe>

Hi Craig,

It's good to hear you're going to use aspects in this way.

The security aspects from AspectJ in Action illustrate a single-user implementation, as Ramnivas notes. To scale them to a multi-user system it would be natural to store the credentials (subject, etc.) in a session (or context), and to have the aspect access the session to retrieve or update it. Two possible implementations are:
1) a percflow aspect, based on the execution of a servlet request, EJB method, remote method, etc. If you have nested calls you might want to use && !cflowbelow to get top-level calls (see page 368 of AJIA for an explanation of this concept). This aspect stores a handle to the session or context on entry.
2) a singleton aspect, which maintains a reference of sessions or contexts by thread, e.g., in a WeakHashMap (or ThreadLocal). It adds a reference before entering a invocation and removes it after exiting.

If your code uses multiple threads per invocation, then it needs to track the context as you invoke new threads (Gregor posted an example of this a while ago: if you need it ask).

I believe both implementations would perform well and would scale, though benchmarking a prototype based on your expected usage would give you the best confirmation. The percflow aspect should have very efficient authorization, at a cost of creating a few objects for each new invocation. The singleton aspect should have quite fast, though slightly slower authorization (O(1) on average) but not create extra objects to be garbage collected.

I believe both approaches will require synchronization for a short period of time when first entering a method (in creating the cflow aspect or in assigning the ThreadLocal), and not otherwise. However, I'll defer to those who wrote the implementation for an authoritative answer. 

It's worth noting that singleton aspects are a singleton per classloader (in a VM), so if you're using them in multiple containers, processes, or physically distributed, there would be an aspect instance for each classloader. Doing distributed security across classloaders takes more work for coordination. My company New Aspects is building on AspectJ to provide complete application security solutions that enable this kind of distributed identity as well as fine-grained control over data access.

Cheers,
Ron

Ron Bodkin
Chief Technology Officer
New Aspects of Security
m: (415) 509-2895

> ------------Original Message-------------
> From: Craig Collings <Craig.Collings@xxxxxxxxxxxxxxxxx>
> To: "'aspectj-users@xxxxxxxxxxx'" <aspectj-users@xxxxxxxxxxx>
> Date: Mon, Aug-18-2003 7:20 PM
> Subject: [aspectj-users] PerClauses
> 
> Hello all,
> 
> After a few weeks of investigating AspectJ and following these discussions,
> I've decided that the simplest and most robust way implement JAAS
> authorization on my current project is to use aspects along the lines kindly
> suggested by Ramnivas Laddad.
> Being new to this however, many things remain opaque.
> In particular, performance issues...
> The default creation pattern for aspects is as a singleton. It would seem at
> first glance, that for wide-ranging pointcuts such as authorisation
> pointcuts, this may represent a performance bottleneck. 
> Has anyone found this to be so?
> Under what conditions would you use perthis{<pointcut>} or
> pertarget{<pointcut>} aspect creation?
> 
> kind regards,
> 
> craig collings
> architect
> abnamrocraigs.com
> 
> #####################################################################################
> Notice of Confidential information 
> The information contained in this electronic mail is CONFIDENTIAL INFORMATION and may
> be LEGALLY PRIVILEGED, intended only for the individual or entity named above. If you
> are not the intended recipient, you are hereby notified that the use, dissemination,
> distribution, or copying of this document is strictly prohibited. If you have received
> this electronic message in error, please immediately notify us by return or telephone
> call collect to 07 577 6049) and destroy the original message. Thank you, ABN AMRO Craigs Limited.
> 
> This e-mail message has been scanned and cleared by MailMarshal   www.marshalsoftware.com 
> 
> #####################################################################################
> _______________________________________________
> aspectj-users mailing list
> aspectj-users@xxxxxxxxxxx
> http://dev.eclipse.org/mailman/listinfo/aspectj-users
>

Prev by Date: [aspectj-users] PerClauses
Next by Date: Re: [aspectj-users] Metadata as projections onto multidimensional space
Previous by thread: [aspectj-users] PerClauses
Next by thread: [aspectj-users] exceptions in around advice
Index(es):
- Date
- Thread

Breadcrumbs