Hi Martin, First off, thanks for taking the time to respond.
If you look at my original post, you'll notice that I quoted the same part of the documentation. The problem was that although the doc asserts that Tomcat does cache Basic Auth credentials, we tested this by viewing LDAP logs and we observed that Tomcat authenticated every request against our LDAP server. I believe the doc is incorrect in stating that Tomcat caches Basic Auth credentials. The browser automatically caches the Basic Auth credentials for a site/realm and automatically sends them via the Authorization header on every subsequent request to the same site/realm. This is great for the user but it still resulted in our LDAP server getting hammered. Apache HTTP Server on the other hand has a configuration setting where you can do server-side caching of Basic Auth credentials for a period of time. The browser still sends the Authorization header on each subsequent request, but as long as Apache recognizes the Base64 encoded username:password within that period of time, Apache assumes the user is still valid and doesn't check with LDAP. Once we configured Apache to cache Basic Auth credentials on the server side, we observed that we only had one LDAP entry per user (caused by the first non-cached authentication). Does what I said make sense? It's possible that we had a Tomcat configuration error but we couldn't find any additional information on Basic Auth caching other than the doc section both you and I have now quoted. Thanks again. On 4/29/07, Martin Gainty <[EMAIL PROTECTED]> wrote:
Hello Bill http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html "Once a user has been authenticated, the user (and his or her associated roles) are cached within Tomcat for the duration of the user's login. (For FORM-based authentication, that means until the session times out or is invalidated; for BASIC authentication, that means until the user closes their browser)" I concur to look at authentication from another source such as Apache if you're looking for BASIC auth beyond the session's timeout or is invalidated (including user close of Browser) Does this conform to your understanding? Thx, Martin This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. ----- Original Message ----- From: "Bill Higgins" <[EMAIL PROTECTED]> To: <users@tomcat.apache.org> Sent: Sunday, April 29, 2007 8:44 PM Subject: Re: caching principals within Tomcat using Basic Auth and LDAP > FYI, we ended up finding a solution to the problem above, but it required > us > to use Apache HTTP Server rather than Tomcat to secure the URLs and cache > the Basic Auth credentials (since Tomcat apparently cannot do so) and > configure Tomcat to respect the other component as the trusted source of > principal information. > > In detail: > > - remove all security constraints from our Tomcat webapp's web.xmlfile > - install Apache HTTP Server to front Tomcat and configure Apache to > secure the same paths that Tomcat had previously secured > - configure Apache to cache Basic Auth credentials for 10 minutes at a > time > - configure Tomcat so that when you call > HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache > (this is invisible to the calling code) > > -- > > - Bill > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- - Bill
