Avoid checking credentials with every request
Checking for valid credentials becomes especially expensive with salted and hashed passwords. This should only be done once and after that handled by a session id or something like that.
Added caching with max age of 2 hours; only valid for BasicVerifier (HTTP basic) as other cookie-based authentication schemes should work with tokens instead; to be solved in a different issue.
HTTP basic requires user/pw with every request, so a token only works with mechanisms such as cookie auth; tokens can also be used with OpenID.
A super class perhaps, that stores a set of hashes consisting of username + password + salt (installations base URI?) using a fast algorithm, e.g. SHA-1. Not the safest thing to do, but it is perhaps necessary to not expect an attacker having access to the memory of the local machine.
An alternative is to create a token (instead of a hash based on user/pw) that expires after some time.