Affects versions: 220.127.116.11, 3.4.8
Fix versions: 3.4.9
Environment:CentOS 5.6 32bit
Java oracle JDK 1.6.0u24
Apache Tomcat 6.0.32
CAS Authentication method used : X509 (upn field) + X509 (CN field) + Login/password on Active Directory, each with one CredentialToPrincipalNameResolver attached.
After a little play with jmeter, it points out that I have an issue with LDAP connection times. We use SSL to secure connection between CAS and Active Directory and it appeared that time needed to establish a connection is about 200ms. With out authentification configuration, I get 4 connections for a login/password authentication : 1 for each authentication method & 1 for authentication checking. A bit expensive I think.
I looked at the sources and unfortunately, the two classes involved in ldap connections doesn't allow connection pooling :
- AbstractLdapPersonDirectoryCredentialsToPrincipalResolver requires a LdapContextSource bean which I don't know how to pool. I've tested with org.springframework.ldap.pool.factory.PoolingContextSource and got an exception (spring cannot cast a ContextSource to a LdapContextSource)
- AbstractLdapUsernamePasswordAuthenticationHandler uses only one ContextSource for 2 purposes : authentication & lookup. I've read that authentication connections cannot be pooled because of authentication context that is not reset between uses, but lookup connection could/should be pooled I think.
So i made a test : I copied these two abstract classes and daughter classes, made needed modifications and it seems to work as I expected.
But as I'm not a java expert, I don't know if it's a good idea.