SecurityManager: why recreate Permission-objects on every check?

Hi all,

I am trying to implement a Struts web-application on top of a Java SecurityManager. I have created a custom URLPermission class allowing to specify a URL and some actions. So far so good: the system checks and grants/rejects permissions as expected.

But: apparently, whenever I check a permission (using the Subject.doAsPriviliged method), the SecurityManager appears to reload all permissions from my policy-file and recreate the URLPermission-objects it needs to validate (implies()-method) against EVERY TIME !!

Obviously, this becomes an expensive operation when many users are accessing the website concurrently, especially when the application has many URLs to secure (resulting in as many permissions defined in the policy file).

Has anyone an idea as to why the SecurityManager does not cache those Permission-objects after first creation? I really don't see the point in not doing this. Or has anyone an idea to prevent this behaviour?

Thanks for your response...

And BTW: Java Security rules (although it is a real sometimes pain to get started with) !!