I'm putting together a LDAPRealm implementation for catalina and have the
basic setup working. I would welcome some advice on implementation issues.
I would prefer to avoid a round trip to the LDAP server (presumably the same
could apply for a JDBCRealm or whatever) for each page requested. Hence I
could store the principal created in a hashmap as is done for the
MemoryRealm (my usaage is for a small Intranet based usage, so keeping the
whole user base in memory is not a problem) and verify the password against
this stored principal rather than doing another (possibly expensive) round
trip to the LDAP server.
However when doing this the principal stays alive for the entire lifetime of
tomcat. What I would like is that it only stays alive for that session, so
that when the browser is quit and restarted a new round trip to the LDAP
server is needed. My concern here is that if the LDAP administrator removed
or invalidated a user, this should be picked up by tomcat pretty quickly.
Clearly if LDAP is being hit for every page it would be picked up
immediately. If however the pricipal was being stored permananently the
invalid user would still be able to be authenticated until tomcat is
restarted. A sensible compromise would seem to be to give the principal
session scope so that once the browser is quit (assuming we're using cookies
here for session maintenance) and a new session started, the LDAP server has
to be consulted again.
The implementation issues would seem to be, can the Realm get access to the
seesion, and is the realm the right place for this in the first place?
Comments or suggestions welcome.
many thanks
tim
---------------------------------------------
Tim Dudgeon
[EMAIL PROTECTED]
--------------------------------------------------
DISCLAIMER: This message contains proprietary
information some or all of which may be
confidential and/or legally privileged. It is for
the intended recipient only who may use and apply
the information only for the intended purpose.
Internet communications are not secure and
therefore the British Biotech group does not
accept legal responsibility for the contents of
this message. Any views or opinions presented are
only those of the author and not those of the
British Biotech group. If you are not the intended
recipient please delete this e-mail and notify the
author immediately by calling ++44 (0)1865 748747;
do not use, disclose, distribute, copy, print or
rely on this e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
