JAASRealm and LoginContext reuse

[Stefan Baramov <St...@trx.com>]

I found that the JAASRealm implementation
(org.apache.catalina.realm.JAASRealm) does not reuse the LoginContext
(javax.security.auth.login.LoginContext) instance. Every time the
authenticate(String,String) method is called a new LoginContext instance
is created. Creating a new instance of the LoginContext will result in
creating a new instance of all LoginModule's configured for this
application. In other words, for each login a new instance of the
LoginModule is created. However, in my case the initialization of the
login module is an expensive operation. 

The only way to resolve this is to write a custom JAASRealm
implementation. However, before doing this I would like to know whether
there is any rational of not caching the LoginContext instance. I looked
in the JAAS spec and could find anything against caching the
LoginContext. I've also looked at LoginContext source code in JDK 1.4
and it appears to be written to cache the LoginModule instances. So I
would assume it is correct to write a custom version of the JAASRealm to
operate on a single instance of the LoginContext. Am I right? 

I would appreciate any thoughts. 

Thanks
Stefan Baramov 
Software Developer 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org