Many developers eventually run load tests on their Liferay environments, and a common complaint is that authentication becomes a major performance bottleneck.

This happens because password authentication in Liferay is intentionally slow — it’s designed that way to mitigate brute-force attacks. During load testing, however, this security feature can dramatically skew results.

The reason teams often rely on password authentication is simple: they usually don’t have access to an external SSO system that can be easily included in their test setup.

A better approach is to use Token Based SSO, which Liferay supports out of the box. With this feature, you can authenticate a user based on a token (like an email address or screen name) passed in an HTTP request header.

You can find configuration details here:
Token-Based Authentication in Liferay

Sample configuration:

 

For example, once Token Based SSO is enabled, you can test it directly in the browser console from an unauthenticated session:

fetch("/", { headers: { "SM_USER": "test@liferay.com" } });

Then simply refresh the page — you’re logged in.

In a load testing tool such as JMeter, you can use this same principle:

• Make an initial call that includes the SSO header

• Save the session cookie

• Continue the rest of the load test scenario as an authenticated user

Important: Only enable Token Based SSO in a controlled load testing environment, never in production. It allows impersonation of any user, so it should be strictly isolated.

This feature can also be combined with authentication modules at the reverse proxy or web server layer (Apache, NGINX, etc.), where incoming headers from user agents can be filtered or stripped for safety.