You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Bill Higgins <bi...@gmail.com> on 2007/04/18 21:27:18 UTC

caching principals within Tomcat using Basic Auth and LDAP

Hello, I have a web app on Tomcat 5.5 where we're using Basic Auth as our
authentication method.  We recently did some load testing and noticed that
every HTTPS request to one of the secure URLs was resulting in an LDAP auth
check.  This makes sense because in Basic Auth, the browser send the
credentials with every request via the Authorization header.

I would like Tomcat to cache the credentials for a period of time so that
after successfully authenticating against LDAP, the server will not hit LDAP
for that particular user for 5-10 minutes, to reduce load on the LDAP server
and remove a system bottleneck.  Note, the user observes this behavior
already since the browser caches the credentials; the problem I'm trying to
solve is excessive load on the LDAP server.

I consulted the Tomcat 5.5 docs and read the following paragraph in the
Realm HOWTO ( http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html ):

Once a user has been authenticated, the user (and his or her associated
> roles) are cached within Tomcat for the duration of the user's login. (For
> FORM-based authentication, that means until the session times out or is
> invalidated; for BASIC authentication, that means until the user closes
> their browser).
>

So the docs indicate that Tomcat would automatically give me the behavior
that I'm looking for (Tomcat caching the credentials) but my LDAP logs are
telling a different story.  I think the more accurate description is that
"the browser caches the credentials for the duration of the browser process,
but Tomcat doesn't cache anything".

So my question (after this long-winded exposition) is that it seems that
Tomcat gives me nothing for caching Basic Auth'd users to reduce load on my
LDAP server.  Can anyone confirm or deny if this is true?  Has anyone ever
encountered a similar situation and found a workaround?  My current best
workaround idea is to install Apache HTTP server in front of Tomcat (which
can do Basic Auth credential caching) and turn off Tomcat security, but this
seems kludgy.

Thanks in advance for any help.

-- 

- Bill

RE: caching principals within Tomcat using Basic Auth and LDAP

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Bill Higgins [mailto:billhigg@gmail.com] 
> Subject: Re: caching principals within Tomcat using Basic 
> Auth and LDAP
> 
> It's possible that we had a Tomcat configuration error
> but we couldn't find any additional information on Basic
> Auth caching other than the doc section both you and I have 
> now quoted.

Does it make a difference if keep-alives are enabled?  I haven't looked
at the code, but I wonder if the credentials are discarded when the HTTP
connection drops.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: caching principals within Tomcat using Basic Auth and LDAP

Posted by Bill Higgins <bi...@gmail.com>.

Hi Martin,

First off, thanks for taking the time to respond.

If you look at my original post, you'll notice that I quoted the same part
of the documentation.  The problem was that although the doc asserts that
Tomcat does cache Basic Auth credentials, we tested this by viewing LDAP
logs and we observed that Tomcat authenticated every request against our
LDAP server.

I believe the doc is incorrect in stating that Tomcat caches Basic Auth
credentials.  The browser automatically caches the Basic Auth credentials
for a site/realm and automatically sends them via the Authorization header
on every subsequent request to the same site/realm.  This is great for the
user but it still resulted in our LDAP server getting hammered.

Apache HTTP Server on the other hand has a configuration setting where you
can do server-side caching of Basic Auth credentials for a period of time.
The browser still sends the Authorization header on each subsequent request,
but as long as Apache recognizes the Base64 encoded username:password within
that period of time, Apache assumes the user is still valid and doesn't
check with LDAP.  Once we configured Apache to cache Basic Auth credentials
on the server side, we observed that we only had one LDAP entry per user
(caused by the first non-cached authentication).

Does what I said make sense?  It's possible that we had a Tomcat
configuration error but we couldn't find any additional information on Basic
Auth caching other than the doc section both you and I have now quoted.

Thanks again.

On 4/29/07, Martin Gainty <mg...@hotmail.com> wrote:
>
> Hello Bill
>
> http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
> "Once a user has been authenticated, the user (and his or her associated
> roles) are cached within Tomcat for the duration of the user's login. (For
> FORM-based authentication, that means until the session times out or is
> invalidated; for BASIC authentication, that means until the user closes
> their browser)"
>
> I concur to look at authentication from another source such as Apache if
> you're looking for BASIC auth beyond the session's timeout or is
> invalidated
> (including user close of Browser)
>
> Does this conform to your understanding?
>
> Thx,
> Martin
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed.  If you have received this email message in error, please
> notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy.  Thank you.
>
> ----- Original Message -----
> From: "Bill Higgins" <bi...@gmail.com>
> To: <us...@tomcat.apache.org>
> Sent: Sunday, April 29, 2007 8:44 PM
> Subject: Re: caching principals within Tomcat using Basic Auth and LDAP
>
>
> > FYI, we ended up finding a solution to the problem above, but it
> required
> > us
> > to use Apache HTTP Server rather than Tomcat to secure the URLs and
> cache
> > the Basic Auth credentials (since Tomcat apparently cannot do so) and
> > configure Tomcat to respect the other component as the trusted source of
> > principal information.
> >
> > In detail:
> >
> >   - remove all security constraints from our Tomcat webapp's web.xmlfile
> >   - install Apache HTTP Server to front Tomcat and configure Apache to
> >   secure the same paths that Tomcat had previously secured
> >   - configure Apache to cache Basic Auth credentials for 10 minutes at a
> >   time
> >   - configure Tomcat so that when you call
> >   HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache
> >   (this is invisible to the calling code)
> >
> > --
> >
> > - Bill
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

-- 

- Bill

Re: caching principals within Tomcat using Basic Auth and LDAP

Posted by Martin Gainty <mg...@hotmail.com>.

Hello Bill

http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html
"Once a user has been authenticated, the user (and his or her associated 
roles) are cached within Tomcat for the duration of the user's login. (For 
FORM-based authentication, that means until the session times out or is 
invalidated; for BASIC authentication, that means until the user closes 
their browser)"

I concur to look at authentication from another source such as Apache if 
you're looking for BASIC auth beyond the session's timeout or is invalidated 
(including user close of Browser)

Does this conform to your understanding?

Thx,
Martin
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed.  If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy.  Thank you.

----- Original Message ----- 
From: "Bill Higgins" <bi...@gmail.com>
To: <us...@tomcat.apache.org>
Sent: Sunday, April 29, 2007 8:44 PM
Subject: Re: caching principals within Tomcat using Basic Auth and LDAP


> FYI, we ended up finding a solution to the problem above, but it required 
> us
> to use Apache HTTP Server rather than Tomcat to secure the URLs and cache
> the Basic Auth credentials (since Tomcat apparently cannot do so) and
> configure Tomcat to respect the other component as the trusted source of
> principal information.
>
> In detail:
>
>   - remove all security constraints from our Tomcat webapp's web.xmlfile
>   - install Apache HTTP Server to front Tomcat and configure Apache to
>   secure the same paths that Tomcat had previously secured
>   - configure Apache to cache Basic Auth credentials for 10 minutes at a
>   time
>   - configure Tomcat so that when you call
>   HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache
>   (this is invisible to the calling code)
>
> --
>
> - Bill
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: caching principals within Tomcat using Basic Auth and LDAP

Posted by Bill Higgins <bi...@gmail.com>.

FYI, we ended up finding a solution to the problem above, but it required us
to use Apache HTTP Server rather than Tomcat to secure the URLs and cache
the Basic Auth credentials (since Tomcat apparently cannot do so) and
configure Tomcat to respect the other component as the trusted source of
principal information.

In detail:

   - remove all security constraints from our Tomcat webapp's web.xmlfile
   - install Apache HTTP Server to front Tomcat and configure Apache to
   secure the same paths that Tomcat had previously secured
   - configure Apache to cache Basic Auth credentials for 10 minutes at a
   time
   - configure Tomcat so that when you call
   HttpServletRequest#getRemoteUser(), Tomcat gets the info from Apache
   (this is invisible to the calling code)

--

- Bill