tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Stateless application is very slow using LDAP authentication
Date Tue, 22 Apr 2014 16:53:26 GMT
Leo Donahue wrote:
> On Tue, Apr 22, 2014 at 8:48 AM, André Warnier <> wrote:
>> Frédéric Poliquin wrote:
>>> << What if you disable authentication entirely as a test... do things
>>> speed-up?>> Answer is YES
>>> << Do you have a problem only under load or also when you are testing a
>>> single-user?>> Single user
>>> What I did is to put Tomcat behind an Apache Server which solved my
>>> problem. Maybe it could be a good new feature to add in future releases...
>> Can you explain how this solved your problem ?
>> If you are using Basic Authentication, without sessions, even httpd would
>> need to re-authenticate to AD/LDAP with every request, no ?

(I stand corrected, with the documentation Frédéric points to in a later post :
httpd does cache the LDAP authentication information, independently of sessions).
So that probably answers the performance difference question also.

And I do also now understand his suggestion for an enhancement to the Tomcat JNDIRealm, to

do the same kind of thing, if it doesn't already.

> I'm somewhat more concerned for the OP if he is using Basic Authentication
> and LDAP.  Passwords going over the network unprotected.  Am I the only one
> seeing this?

Well, all things considered, over the last 2 years that has been a rather more secure 
method than HTTPS, no ? At least, all they could steal was your password.

P.S. I am jesting of course, and your concern is justified, particularly since Frédéric
talking about using an AD/LDAP system as the back-end.  Unless that AD system is only used

for this application, that would be a concern.

(But by the way, Frédéric never said this was pure HTTP; it could all be going over HTTPS)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message