Sunday, October 31, 2010

Configuring Java VM options to get rid of memory issues

When using applications such as Intellij IDEA or maven with projects those have a large code base such as WSO2 carbon, I have encountered these programs complaining about memory issues such as:

1. Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
2. java.lang.OutOfMemoryError: PermGen space

The first error occurs when the allocated java heap size for that particular application is not enough, regardless of how much memory the machine has. In order to get rid of this,  you can resize the initial and maximum java heap sizes allocated for that particular application.
In Ubuntu, those values can be configured in mvn.sh file (usually found in /usr/bin) for maven and idea.vmoptions file (found in #idea installation directory/bin) for IDEA.
Xms is the parameter that defines the initial java heap size and Xmx is the parameter that defines maximum java heap size. In other words, the application starts with a java heap size as defined in Xms and grow until it reaches the size defined in Xmx. Therefore it is recommended to give two values with latter larger than the former.
Eg: for IDEA I would set: Xms512m and Xmx1024m

You get the second error when the space that holds the permanent generation is filled up. This permanent generation holds meta-data about user classes. (Garbage collector maintains objects in several generations. Read more about this from here)
You can get rid of this error by assigning proper values to -XX:PermSize and -XX:MaxPermSize parameters according to the requirement of your application usage.
For an example I would set it in maven as:
-XX:PermSize=256m -XX:MaxPermSize=512m
In Ubuntu, you can set it by editing the mvn.sh file to include this line under Optional ENV vars.:
export MAVEN_OPTS="-Xmx1024m -XX:PermSize=256m -XX:MaxPermSize=512m"

Sunday, October 24, 2010

Policy based access control-part 1

This is going to be my first post on this subject. I got interested in it after attending to an informative webinar on Policy based access control with XACML. I am also an amateur in this field and hope to post rich content in the future.

Identity management of organizations has been evolving over the past years. First the  authentication for different applications were managed separately. Then it became centralized identity management where many applications in the organization authenticated users from a central user store such as LDAP store. Requirement of allowing or restricting different users to access different resources based on organizational and business rules was also earlier achieved by project based solutions such as Role Based Access Control  .and Access Control Lists. Those mechanisms lack the interoperability and flexibility.

Policy based access control (PBAC) can be used instead which allows access rules to be defined as policies and easily updated as the rules change. When the organizations grow larger and when there are many large scale distributed applications accessing resources it is better to have these policies managed at a central location in order to preserve consistency and grant access to users from there. Policy based access control  with XACML is increasingly becoming popular as solution to address such requirements.

It is important to note that XACML is a flexible and powerful  authorization policy expression language, but not a policy model or concept of its own. PBAC solutions based on XACML has mainly three parts as follows:
  1. Reference Architecture
  2. Request/ Response protocol
  3. Policy Language.
I plan to discuss about each of the above in detail in my future posts on the subject.