We use JAAS in a heavily loaded web server. The configuration file is loaded from a file,
System.setProperty("java.security.auth.login.config", "/config/jaas.config");
During profiling, we noticed that the configuration is loaded from file for every login attempt. This is an I/O operation we try to avoid. Is there anyway to store the JAAS configuration in memory?
You could implement your own Configuration. The javadoc says:
The default Configuration implementation can be changed by setting the value of the "login.configuration.provider" security property (in the Java security properties file) to the fully qualified name of the desired Configuration implementation class.
The default implementation com.sun.security.auth.login.ConfigFile (source) appears to load the file each time the class is instantiated. You could cache the contents. No comment on the security aspects either way.