Ideally, we would invoke Authenticator.getUser precisely once per request, and cache and reuse that result after that. Right now, we are invoking it over a dozen times per request. Several of these calls are made even when the thread local cached copy of the user information is available and in scope. Most of the rest could be modified to use this cached copy as well.

Reducing the number of times we invoke this Authenticator will speed up our performance on LDAP, and resolve any account lockout issues we may be triggering on systems that restrict (and automatically enforce) the number of failed login attempts.