Both authentication and authorization will hit the underlying security repository (e.g. files, LDAP, etc.). For example, creating a JMS connection and a consumer will result in 2 hits with the same authentication request. This can cause unwanted (and unnecessary) resource utilization, especially in the case of networked configuration like LDAP.

There is a rudimentary cache for authorization, but it is cleared totally every 10 seconds by default (controlled via the security-invalidation-interval setting), and it must be populated initially which still results in duplicate auth requests.