tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Stateless application is very slow using LDAP authentication
Date Tue, 22 Apr 2014 13:52:01 GMT
Frédéric Poliquin wrote:
> Hi,
> I'm working on a stateless application which does not create an http session. This application
has a standard security constraint requesting basic authentication on all resources.
> Tomcat is configured using a standard JNDIRealm to authenticate against Active Directory.
Authentication and authorisation are working fine but with this configuration, the application
is very slow; we even get timeouts from requirejs. The documentation says:
> "Once a user has been authenticated, the user (and his or her associated roles) are cached
within Tomcat for the duration of the user's login. (For FORM-based authentication, that means
until the session times out or is invalidated; for BASIC authentication, that means until
the user closes their browser). The cached user is not saved and restored across sessions
serialisations. Any changes to the directory information for an already authenticated user
will not be reflected until the next time that user logs on again."

I see this paragraph too, in :
"Additional Notes"
  and I believe that it is unclear (or maybe the parenthesis are misplaced).

I don't think that Tomcat can cache the authentication information if there is no session,

and thus for Basic Authentication, it probably calls the LDAP server at each request, to 
re-authenticate the user.

> Does Tomcat have a cache outside the http session? Is there a workaround to get one?
> Does Tomcat can be used as a simple file server with LDAP authentication?

You should probably describe your application a bit more, and also explain why you seem to

be adverse to sessions.

That's because it seems to me that using sessions would be the answer here.
And that is because I believe (maybe wrongly) that Tomcat *does* cache the authenticated 
user-id within the session.  Most authentication schemes would not make much sense if that

is not the case.

> We are using Tomcat 7.0.53 with JDK  1.7.0_55 on Windows Server 2008 R2.
> Thank you.
> Frédéric.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message