2

I've got an Apache2 httpd running in front of a Tomcat, doing authentication via mod_auth_kerb.

When I open the console in Firebug, I see lots of 401's

See screenshot:

enter image description here

Is there a way to avoid this? I guess its causing an additional roundtrip which impacts performance.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Michael Böckling
  • 301
  • 3
  • 15

1 Answers1

1

No; the extra response and request are necessary for the SPNEGO authentication process, see RFC 4559 for details.

I'd recommend only forcing authentication of the sensitive resources. In your screenshot, it looks like only that very first request should be authenticated; you can probably set Satisfy Any on that /res directory.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Yeah, excluding those resources might be a solution. I was testing this in Firefox, so there was no IE SSO stuff going on. Credentials were collected via HTTP BASIC style prompt, so I was expecting that the browser would send the "Authorize" header preemptively for all URLs it tried to fetch, just like with traditional HTTP BASIC auth. Do you know why the Kerberos blob is not sent preemptively? – Michael Böckling Nov 22 '11 at 21:51