tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Higgins" <>
Subject Re: caching principals within Tomcat using Basic Auth and LDAP
Date Wed, 02 May 2007 01:43:01 GMT
Hi Martin,

First off, thanks for taking the time to respond.

If you look at my original post, you'll notice that I quoted the same part
of the documentation.  The problem was that although the doc asserts that
Tomcat does cache Basic Auth credentials, we tested this by viewing LDAP
logs and we observed that Tomcat authenticated every request against our
LDAP server.

I believe the doc is incorrect in stating that Tomcat caches Basic Auth
credentials.  The browser automatically caches the Basic Auth credentials
for a site/realm and automatically sends them via the Authorization header
on every subsequent request to the same site/realm.  This is great for the
user but it still resulted in our LDAP server getting hammered.

Apache HTTP Server on the other hand has a configuration setting where you
can do server-side caching of Basic Auth credentials for a period of time.
The browser still sends the Authorization header on each subsequent request,
but as long as Apache recognizes the Base64 encoded username:password within
that period of time, Apache assumes the user is still valid and doesn't
check with LDAP.  Once we configured Apache to cache Basic Auth credentials
on the server side, we observed that we only had one LDAP entry per user
(caused by the first non-cached authentication).

Does what I said make sense?  It's possible that we had a Tomcat
configuration error but we couldn't find any additional information on Basic
Auth caching other than the doc section both you and I have now quoted.

Thanks again.

On 4/29/07, Martin Gainty <> wrote:
> Hello Bill
> "Once a user has been authenticated, the user (and his or her associated
> roles) are cached within Tomcat for the duration of the user's login. (For
> FORM-based authentication, that means until the session times out or is
> invalidated; for BASIC authentication, that means until the user closes
> their browser)"
> I concur to look at authentication from another source such as Apache if
> you're looking for BASIC auth beyond the session's timeout or is
> invalidated
> (including user close of Browser)
> Does this conform to your understanding?
> Thx,
> Martin
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed.  If you have received this email message in error, please
> notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy.  Thank you.
> ----- Original Message -----
> From: "Bill Higgins" <>
> To: <>
> Sent: Sunday, April 29, 2007 8:44 PM
> Subject: Re: caching principals within Tomcat using Basic Auth and LDAP
> > FYI, we ended up finding a solution to the problem above, but it
> required
> > us
> > to use Apache HTTP Server rather than Tomcat to secure the URLs and
> cache
> > the Basic Auth credentials (since Tomcat apparently cannot do so) and
> > configure Tomcat to respect the other component as the trusted source of
> > principal information.
> >
> > In detail:
> >
> >   - remove all security constraints from our Tomcat webapp's web.xmlfile
> >   - install Apache HTTP Server to front Tomcat and configure Apache to
> >   secure the same paths that Tomcat had previously secured
> >   - configure Apache to cache Basic Auth credentials for 10 minutes at a
> >   time
> >   - configure Tomcat so that when you call
> >   HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache
> >   (this is invisible to the calling code)
> >
> > --
> >
> > - Bill
> >
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:


- Bill

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message