Here I complete the most mechanically logical solution. Kerberos authentication is done early in the Apache hook processing sequence by mod_auth_kerb. I modified mod_waklog to work with Apache2 and happen during the correct stage after mod_auth_kerb (and before mod_dav).


This solution is mostly disappointing:

  • Apache's mod_dav only overloads DAV-specific REQUEST_METHODs, i.e, PROPFIND, MKCOL: GETs end up falling back to the default Apache handler and happen without the presence of the authenticated PAG. Access to paths without system:anyuser is broken.
    • UMich's solution: inclusion of a "default principal" for the web server to use that users have to ACL to their paths
    • My solution: override and emulate GETs with CGI
      • undesirably decreases the modularity and security of the implementation (and breaks a few abstraction barriers)
  • mod_auth_kerb performs fresh authentication for each DAV request
    • especially from Windows, DAV spawns multiple requests to resolve the state of a folder and detail its contents; this is a huge performance hit

Simply including authentication caching in this implementation would probably be a substantial improvement. Alternatively, having Apache spawn a child to process requests per-user that has a cross-request persisting PAG would probably work as well. I'll try this approach next.

Compared to A, its definitely worth the performance boost hashing successfully authenticated tokens for at least a few requests, especially if the request is just a reused keep-alive. Coupled with the appropriate unlog'ing after each request, this issue is a real drag on response when using the AFS gateway as a mounted file system.

Deprecated: (presbrey) mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /afs/ on line 63

Retrieved from ""

This page has been accessed 4,389 times. This page was last modified on 13 August 2007, at 17:25.