LDAP Security - Don't re-authenticate on every request

[hyperman1]

Description
When using ldap security and servlets, every request/response re-authenticates. Especially the role lookup can take a lot of time. Hence, the elytron cache should be possible to enable

Implementation ideas
The existing io.quarkus.elytron.security.ldap.LdapRecorder class seems a good point for this: The last line is:

      return new RuntimeValue<>(builder.build());

You can do something like:
//These come from application.properties
int config_cache_size=10000;
long config_cache_time_to_live=1000L6015;//15 minutes

            SecurityRealm ldapRealm = builder.build();
	if (ldapRealm instanceof CacheableSecurityRealm&&config_cache_size!=0) {
		// Cache 15 minuten
		ldapRealm = new CachingSecurityRealm((CacheableSecurityRealm) ldapRealm,
				new LRURealmIdentityCache(config_cache_size, config_cache_time_to_live));
	}
            return new RuntimeValue<>(ldapRealm);

[hartimcwildfly]

Should the caching be fixed at buildtime or at runtime?

[daniel-chelcioiu]

Hi,
Any news on this ?
Thanks

[hyperman1]

@hartimcwildfly I think I answered you in another thread or on the chat, so I'll add my answer from long ago here:

In my experience, all security parameters should be tuneable at run time. Security setup can differ between dev and prod, and might be adapted by different teams.

We managed to introduce keycloak in our organisation, so my interest for LDAP has seriously diminished since writing these calls.

@daniel-chelcioiu I don't think there is any other news on this.