Our JBoss Portal environment is integrated with Active Directory. We have about 100 groups that show up in the security screen for both portal objects and portlet instances. We noticed that the performance continually got worse as the number of groups increased.
I have attached some changes to the AuthorizationBean to cache the role actions so that the DomainConfigurator.getSecurityBindings() method is not called for each role. The cache expires when the URI changes. Since the InstanceManagerBean and PortalObjectManagerBeans are session scoped it should be safe to make these changes. This solution also resolves another issue in that the list of roles may change between the view and save actions and apply privileges to the incorrect roles. We've had this happen a few times.
Please review the attached files: