-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frédéric,
On 4/22/14, 4:15 PM, Frédéric Poliquin wrote: >> When you say that you put a reverse proxy in front of Tomcat... >> do you mean that you pushed the authentication out to the proxy >> layer? > > Yes, I'm delegating everything to HTTPD using an AJP connector. > >> This means that if the user changes their password or the >> group-membership changes on the LDAP side, httpd won't know about >> those changes and therefore old credentials are still valid, old >> group-based authentication checks will yield invalid >> authentication decisions based upon the canonical LDAP service's >> view of the world. > > So does session caching! No. I tried to make this clear: nothing about the client is cached. It's only the result of a particular check that is cached. httpd keeps the value of "is the X password for user Y?" cached and can then check it as a read-through cache. There is no session. The client has no identity, here. It's just a simply "I'm going to ask LDAP something. Have I asked it recently the same question?". > Actually HTTPD have a better control because it allows you to > choose the appropriate TTL instead of assuming the same credentials > for the whole session. That's correct: if you used Tomcat's "alwaysUseSession" setting, you wouldn't end up re-authenticating the user until the session needed to be created again (expired session, server fail-over, etc.). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTVs7DAAoJEBzwKT+lPKRY5b8QAKeXOlFK2ILckjbXP9JaeN+I l1bbu0Osgb/ehsiSMgdkDlrl7Are5fq+BHvACsmmYX3jjU6SBxiy0+VoqZ3EXKCX 26t8tqedhpdyem13uX+TwXd6BggjR+ycBji6ZGQ0qkQeA0SgSOmVq/rr0hse48UO VcYdxNLVFXCU5OdxDnef8X7qT+AroMRtug6qZwnPuWnJNReCr36Y10uEPjbMR6QE GJFyc7JToK23WGNBqgRnv00LL8/R7+iLDaUoiNRXcIT55fOzBgFD5Soj7k8WjLCM ++Wb6cAydI5n08F2/Kvt60h2aojEPqjNJOnZWi542GHRMhZpUrDWDpkuH3XRZUgn blCQxHJofjYwJ3rI+L9oE2bapbsm0xI+pJGcxWnOGkqI/ct8NLHZDvUgJT5RXM5W Trw7eoTT6y0M3QGcoyzgBJPW+BHxQWbsEQFwQ68p6R+6dKs7vjNF6hKZRbmYbfYa uPYUxKH5Tq+Z5LCwQ4ggyOIliAQ3w+xUhGS08W9vg4i/N9AFZvexu8h0b6mzKNEE Et5JXE3xY2rVrlEWulT5IMPRlEuzInkXSlNBg2cVRFXChlPbsd1aSSYme4Aa0oHA JTgsoUPRdqZSOym4JBiGKSMUga6CWTOqq3KZmjQCThez91DnATZ4ITHFvrJUa7o3 uHC/QcDMewRjkZSzx8NZ =gkQ9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org