I found that the JAASRealm implementation (org.apache.catalina.realm.JAASRealm) does not reuse the LoginContext (javax.security.auth.login.LoginContext) instance. Every time the authenticate(String,String) method is called a new LoginContext instance is created. Creating a new instance of the LoginContext will result in creating a new instance of all LoginModule's configured for this application. In other words, for each login a new instance of the LoginModule is created. However, in my case the initialization of the login module is an expensive operation.
The only way to resolve this is to write a custom JAASRealm implementation. However, before doing this I would like to know whether there is any rational of not caching the LoginContext instance. I looked in the JAAS spec and could find anything against caching the LoginContext. I've also looked at LoginContext source code in JDK 1.4 and it appears to be written to cache the LoginModule instances. So I would assume it is correct to write a custom version of the JAASRealm to operate on a single instance of the LoginContext. Am I right? I would appreciate any thoughts. Thanks Stefan Baramov Software Developer --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]