Frédéric Poliquin wrote:
Hi,
I'm working on a stateless application which does not create an http session.
This application has a standard security constraint requesting basic
authentication on all resources.
Tomcat is configured using a standard JNDIRealm to authenticate against Active
Directory. Authentication and authorisation are working fine but with this
configuration, the application is very slow; we even get timeouts from
requirejs. The documentation says:
"Once a user has been authenticated, the user (and his or her associated roles) are
cached within Tomcat for the duration of the user's login. (For FORM-based
authentication, that means until the session times out or is invalidated; for BASIC
authentication, that means until the user closes their browser). The cached user is not
saved and restored across sessions serialisations. Any changes to the directory
information for an already authenticated user will not be reflected until the next time
that user logs on again."
I see this paragraph too, in :
https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
"Additional Notes"
and I believe that it is unclear (or maybe the parenthesis are misplaced).
I don't think that Tomcat can cache the authentication information if there is no session,
and thus for Basic Authentication, it probably calls the LDAP server at each request, to
re-authenticate the user.
Does Tomcat have a cache outside the http session? Is there a workaround to get
one?
Does Tomcat can be used as a simple file server with LDAP authentication?
You should probably describe your application a bit more, and also explain why you seem to
be adverse to sessions.
That's because it seems to me that using sessions would be the answer here.
And that is because I believe (maybe wrongly) that Tomcat *does* cache the authenticated
user-id within the session. Most authentication schemes would not make much sense if that
is not the case.
We are using Tomcat 7.0.53 with JDK 1.7.0_55 on Windows Server 2008 R2.
Thank you.
Frédéric.
frederic.poliq...@dti.ulaval.ca<mailto:frederic.poliq...@dti.ulaval.ca>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org