Concerns about spamming the identity provider (AD)
Brought to you by:
darwinfelix
Menu
▾
▴
I'm somewhat concerned about how often this Servlet Filter actually hits the identity provider with an authentication request.
I'm certainly no expert with J2EE technology but I would assume that a Servlet Filter fires for every page load ? I would be looking for something that does authentication once for every session, not once for every page view.
My concern is that we're spamming the identity provider with lots and lots of unnecessary authentication requests. Just think of it: You implement this on a corporate website and a few hours later your local AD administrator calls you up because you've totally overloaded the AD with requests. (this being said my experience is that AD is extremely fast at answering to Kerberos requests).
I understand enough of Kerberos to know that there's a client side ticket cache. So perhaps the authentication technically does fire once for every page load but the local Kerberos ticket cache is what makes sure that the AD server is not hit (unnecessarily) with the request? Even so the whole thing would make me a lot more comfortable if the authentication from Tomcat's perspective would only fire once per session, not once per page load.
(what you do need to happen once per page load is AUTHORIZATION but let's not mix up authorization and authentication for now. :-))
Have you had a chance to read through all of the posts in this thread...
https://sourceforge.net/p/spnego/discussion/1003769/thread/13c42e96/
Perhaps the thread will give you more ideas about all of the different ways you can skin this cat... the hard part will be picking one!