-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frédéric,
On 4/22/14, 9:29 AM, Frédéric Poliquin wrote: > Hi, > > I'm working on a stateless application which does not create an > http session. This application has a standard security constraint > requesting basic authentication on all resources. > > Tomcat is configured using a standard JNDIRealm to authenticate > against Active Directory. Authentication and authorisation are > working fine but with this configuration, the application is very > slow; we even get timeouts from requirejs. The documentation says: > > "Once a user has been authenticated, the user (and his or her > associated roles) are cached within Tomcat for the duration of the > user's login. (For FORM-based authentication, that means until the > session times out or is invalidated; for BASIC authentication, > that means until the user closes their browser). The cached user is > not saved and restored across sessions serialisations. Any changes > to the directory information for an already authenticated user will > not be reflected until the next time that user logs on again." > > Does Tomcat have a cache outside the http session? Is there a > workaround to get one? Does Tomcat can be used as a simple file > server with LDAP authentication? > > We are using Tomcat 7.0.53 with JDK 1.7.0_55 on Windows Server > 2008 R2. Have you used a profiler or crude thread dumps to determine the reason for the slowness? What if you disable authentication entirely as a test... do things speed-up? The javadoc for JNDIRealm says that authenticate() is synchronized because there is no connection-pooling implemented to the AD server. Do you have a problem only under load or also when you are testing a single-user? The AuthenticatorBase component (parent of (HTTP)BasicAuthenticator) implements a caching mechanism for requests and sessions (if in existence) to improve performance. Because you have disabled sessions (or avoided their creation), you are not benefitting from this caching mechanism. The BasicAuthenticatorValve (which is being used whether you explicitly declare it or not) has a "alwaysUseSession" attribute which you can flip in order to force the creation of sessions to enable this type of caching. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Basic_Authenticator_Valve This will always create a session for the client. But, since you are not using the sessions for anything else (i.e. stateless), switching servers will not be a problem for the client: they will experience a short delay while waiting to authenticate with the new server if they have to switch. In order to get the most benefit from this caching feature, you should enable session stickiness on your load balancer(s). Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTVn47AAoJEBzwKT+lPKRYPAQQAJKxelUwxdiAHUOv9U42lhbo ZPsJdwmtEQHCeTL6+ckSU7IGA4zymTV5V6w9JqITSBdzksjZwwVCdht+e3kL7bht aWmZbDrmwqHim4JROjI2vQxLbTtQC4u0fwwScrt+7kMS9VpdFN4psZ3y2NgKtmIu ZDLIuFCpz4+3qh6J1j57VViOJXb/mNnh9tHW8tS6ZZex0/DBflSZa9w+/FQlEGAk sKTGtOVWr6hKVd4S/gFFHQH9OtNnm8E8KSvZFYM8ndjBbgg0OaTR1T6eBBoSlJ5Z bNlzXLghcTIbTWAzvqCa1u93y0nKBrufde6cw94Dlx//5mSrmUefltiVOT1PmK2e g4jYhALUBJE6k/0yXfTnqd3obN60SMnglLeWajhqSctJ0k2DhMQJwZ0P80+TxBnH 01oyCL4GLkeKC4HddJecECSju8gi5SCGLnUL6yLSWyDUJB1XeNfe22UJUCJTIMdb +3c3rTMVMWi08dez2K5bCsEHt1kZOIS3y1DvcZ8kEz4eIqf37bwLahw3ssiwgjLx NY5c33+3OnW2kh+7V4wNqwXNzeOcVN6dhnaZpNTEAlo1STpRyb6drxscThBA3i3q +kmqKLwc627OW70xAwzmzM/WpqQoHJkDynjo1KfhADuUavNLEtzkaCxt98M2B0cZ aFm+ZyzlCu0MwAyDrOph =WyYW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
