> When you say that you put a reverse proxy in front of Tomcat... do you mean > that you pushed the authentication out to the proxy layer?
Yes, I'm delegating everything to HTTPD using an AJP connector. > This means that if the user changes their password or the group-membership > changes on the LDAP side, httpd won't know about those changes and therefore > old credentials are still valid, old group-based authentication checks will > yield invalid authentication decisions based upon the canonical LDAP > service's view of the world. So does session caching! Actually HTTPD have a better control because it allows you to choose the appropriate TTL instead of assuming the same credentials for the whole session. Frédéric. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
