问题
When running with Kerberos tickets, I have noticed that every firefox request has a different Authorization line in the HTTP header. I loaded a simple page, then hit the reload button several times and it was never the same. What causes this behavior? I would have thought that the Authorization line would stay constant for the duration of the Kerberos credentials. (Note that I got the credentials via the kinit command before firing up firefox.)
When the authentication method is Basic, then firefox continues to send the same base64 string of 'user:password' every time. This is the behavior I expected.
Any ideas?
回答1:
mmm it is odd. Any chance that you can post snipptes of the wireshark output. One possibility is that the Service Ticket obtained is not cached and FF gets a service ticket. There have been implementations where a client will get a service but not cache it, instead go and get a service ticket every time needed. Sometimes it is because the process may not have write permissions and it is relatively an inexpensive operation ( a single round trip and symmetric encrypted data)
回答2:
This is due to various limitations in both HTTP and in how Negotiate-Auth works.
HTTP was originally designed as a stateless protocol, and HTTP's authentication system assumes that model. It was designed to do a full authentication exchange in each request; for example, with Basic, it's enclosing your full credentials in each request. With Negotiate-Auth and SPNEGO, the same thing is true: a brand new GSS-API context is created and a fresh authentication is performed with each request.
Yes, this is very wasteful. But there (currently) isn't any standardized way to authenticate once, establish a session, and then bind all subsequent requests to that session (the way that, say, IMAP, POP, or ssh does). There is some IETF work in this direction, but it's very preliminary.
The ticket is cached; it's not doing that much work each time. But the server and the client go through the whole GSS-API session dance each time.
来源:https://stackoverflow.com/questions/11152123/why-does-the-authorization-line-change-for-every-firefox-request