Thomas Mortagne: FYI, the requested issue report. Not sure if it's actually a "Bug" or rather a feature request.
In my setup, I'm using an Apache httpd reverse proxy in front of the locally listening Tomcat 9 in which Xwiki is running.
I manage my users using LDAP, and the Apache httpd already authenticates the users via HTTP Basic Authentication before forwarding the request to Tomcat / Xwiki.
Rather by random chance Thomas Mortagne had a glimpse at my logs and noticed that Xwiki was continuously re-authenticating the user session using LDAP, even for REST requests during page loads.
Xwiki always feels somewhat sluggish on my system, and permanently performing LDAP lookups on every request probably does not really help here...
As far as I could see, there was no warning whatsoever in the logs that something was "messed up" with the authentication configuration, leading to such a misbehaviour.
At least a big, fat, easy to find warning would be good here, or maybe just to rely on the user name after the session setup instead of reauthenticating all the time. (As in "Trusted Authentication" mode, if this does not create security holes.)
My reverse proxy setup was as follows:
I'm now trying to work around this issue by enabling xwiki.authentication.ldap.httpHeader=REMOTE_USER in xwiki.cfg and adding
to my reverse proxy config.
Still waiting for confirmation from Thomas Mortagne that this actually helped.
"Placebo estimation" suggests that afterwards Xwiki feels somewhat more responsive already...