michaelwechner
commented
10 years ago This problem is also rather annoying, when one is configuring Tomcat with BASIC AUTH
- TOMCAT/conf/tomcat-users.xml (tomcat-users)
- TOMCAT/webapps/yanel/WEB-INF/web.xml (security-constraint, login-config) as a first level protection. A possible workaround might be to make Basic Auth check configurable for Yanel
If one is requesting a html page which is protected by Basic Authentication, then the performance can be very bad, because a html page can contain many links to css, javascript, images, etc. for which also the basic authentication needs to be executed.
This means for requesting a simple html page, the server has to do maybe 10-30 basic authentications, whereas since Yanel is using bcrypt (http://en.wikipedia.org/wiki/Bcrypt), each basic authentication might take 1 second, which means that serving a simple page can take about 30seconds!
In the case of session authentication this is not a problem, because one does only one authentication, then the session is used.
The question is whether we can somehow cache the Basic authentication, instead using bcrypt for every request?