WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profile

Authentication cache - Liberty profile

Overview

The Liberty profile authentication cache stores user subjects.

The initial number of entries is determined by the initialSize attribute. Default is 50 entries.

Maximum number of entries is determined by the maxSize attribute. Default is 25,000 entries. If maximum is reached, earliest entries are removed.

User inactive longer than the time period specified by the timeout attribute are removed.

Changes to the user registry configuration in server.xml will clear the authentication cache. Changes to an external user registry such as LDAP will not clear the authentication cache.

Larger authentication cache timeout values can increase the security risk. For example, until the cache is refreshed, a revoked user can log in using cached credentials.

A small authentication cache timeout value can mean more frequent requests to the user registry, reducing performance.

Larger numbers of entries increase memory usage.

Set the authentication cache

1. Enable the appSecurity-1.0 Liberty feature in server.xml.
   < featureManager> <feature>appSecurity-1.0</feature> </featureManager>

2. To change the default options for the authentication cache, add the authCache element to server.xml. For example...

    
   < authCache initialSize="100" 
              maxSize="50000" 
              timeout="15m"/> 

   To disable the authentication cache, set the attribute cachEnabled to false in the authentication element...

    
   < authentication id="Basic" 
                   cacheEnabled="false" /> 

Parent topic: Authenticate users in the Liberty profile

Related concepts:

Liberty profile: Authentication