Leo Donahue wrote:
On Tue, Apr 22, 2014 at 8:48 AM, André Warnier <a...@ice-sa.com> wrote:
Frédéric Poliquin wrote:
<< What if you disable authentication entirely as a test... do things
speed-up?>> Answer is YES
<< Do you have a problem only under load or also when you are testing a
single-user?>> Single user
What I did is to put Tomcat behind an Apache Server which solved my
problem. Maybe it could be a good new feature to add in future releases...
Can you explain how this solved your problem ?
If you are using Basic Authentication, without sessions, even httpd would
need to re-authenticate to AD/LDAP with every request, no ?
(I stand corrected, with the documentation Frédéric points to in a later post :
http://httpd.apache.org/docs/current/mod/mod_ldap.html#cache
httpd does cache the LDAP authentication information, independently of
sessions).
So that probably answers the performance difference question also.
And I do also now understand his suggestion for an enhancement to the Tomcat JNDIRealm, to
do the same kind of thing, if it doesn't already.
I'm somewhat more concerned for the OP if he is using Basic Authentication
and LDAP. Passwords going over the network unprotected. Am I the only one
seeing this?
Well, all things considered, over the last 2 years that has been a rather more secure
method than HTTPS, no ? At least, all they could steal was your password.
;-)
P.S. I am jesting of course, and your concern is justified, particularly since Frédéric is
talking about using an AD/LDAP system as the back-end. Unless that AD system is only used
for this application, that would be a concern.
(But by the way, Frédéric never said this was pure HTTP; it could all be going
over HTTPS)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
