On 4/22/2014 12:16 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Frédéric,
On 4/22/14, 12:38 PM, Frédéric Poliquin wrote:
Passwords are protected using standard SSL. Eventually, the plan
is to move towards OAuth 2.0 with a cookie/security token but until
then I needed a quick solution...
For the other question, Apache httpd has an authentication cache
which prevents going to Active Directory every time which is not
linked to any session. It is documented here:
http://httpd.apache.org/docs/current/mod/mod_ldap.html#cache
For those readers who don't feel like reading/understanding the
documentation, what Frédéric is leaving unsaid is that mod_ldap caches
the results of various lookups. It's somewhat important to note that
the authentication information itself is not cached: there is no LDAP
token or anything like that that survives across individual requests
from a client. Instead, the result of a particular lookup are cached.
This means that if the user changes their password or the
group-membership changes on the LDAP side, httpd won't know about
those changes and therefore old credentials are still valid, old
group-based authentication checks will yield invalid authentication
decisions based upon the canonical LDAP service's view of the world.
http://httpd.apache.org/docs/current/mod/mod_ldap.html#ldapopcachettl
Balancing liveliness versus performance versus accuracy is an exercise
left for the reader.
This may not be a big deal to you, but it's important to note that it
is a side-effect of such caching.
- -chris
. . . . just my two cents
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
