Configuring the authentication cache on the Liberty profile

You can modify how authenticated users are cached on the Liberty profile.

About this task

Because the creation of a subject might impact performance, the Liberty profile provides an authentication cache to store a subject after an authentication of a user is successful. The cache is initialized with a certain number of entries, determined by the initialSize attribute, and has a maximum number of entries, determined by the maxSize attribute. If the maximum size is reached, then the earliest entries that were used are removed from the cache. Iif a user has been inactive for longer than period that is specified by the timeout attribute, then the entry for that user is removed from the cache. By default, the cache size is initialized to 50 entries and a maximum of 25000 entries, with a timeout of 600 seconds.

You do not have to configure the values for the authCache element unless you want to change the default values of the authentication cache.

For more information about authentication case, see Authentication cache.

Note:
  • Any change that is made to the user registry configuration in the server.xml file clears the authentication cache. However, if changes are made to an external user registry, such as LDAP, the authentication cache is unaffected.
  • You must consider the following effects of the timeout value on your configuration:
    • Larger authentication cache timeout values can increase security risks. For example, you might revoke a user in the user registry or repository, but the revoked user can log in by using the credential that is cached in the authentication cache until the cache is refreshed.
    • Smaller authentication cache timeout values can affect performance. When this value is smaller, the Liberty profile server accesses the user registry or repository more frequently.
    • Larger numbers of entries in the authentication cache, which is caused by an increased number of users, increases the memory usage of the authentication cache. Thus, the application server might slow down and affect performance.

Procedure

  1. Enable the Fix Pack 8550 appSecurity-2.0 Liberty feature by adding the following code to the server.xml file. 
     <featureManager>
    <feature>Fix Pack 8550 appSecurity-2.0</feature>
 </featureManager>
  2. Optional: To change the default options for the authentication cache, add the <authCache> element to the server.xml file. In the following example, the initial size of the authentication cache is changed to 100 entries with a maximum of 50000 entries, and the timeout is changed to 15 minutes. 
     <authCache initialSize="100" maxSize="50000" timeout="15m"/>
  3. Optional: To disable the authentication cache, set the attribute cachEnabled to false in the <authentication> element as follows: 
     <authentication id="Basic" cacheEnabled="false" />

    For more information about the <authCache> and <authentication> elements, see Liberty profile: Configuration elements in the server.xml file.

Parent topic: Authenticating users in the Liberty profile
Related concepts:
Liberty profile: Authentication
Related information:
Intel Advanced Encryption Standard New Instructions

Icon that indicates the type of topic Task topic
Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Wednesday, 22 May 2013
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=twlp_sec_cache
File name: twlp_sec_cache.html