How often does MIT krb5 request for KDC info through DNS?
Nico Williams
nico at cryptonector.com
Tue Aug 5 12:16:41 EDT 2014
On Tue, Aug 05, 2014 at 05:03:40PM +0100, David Woodhouse wrote:
> On Tue, 2014-08-05 at 10:53 -0500, Nico Williams wrote:
> > As for JGSS performance, there are worse problems:
> >
> > - servlets that don't use cookies to optimize away the GSS context
> > setup per-request(!!!)
>
> - On IIS, failing to set the 'AuthPersistNonNTLM' attribute which makes
> Kerberos authentication a per-connection thing instead of per-request
HTTP/1.1 is not supposed to be aware of connection state, and IIRC the
servlet interface design doesn't make it possible to make the servlet
able to cache per-connection state :(
Cookies are teh authentication state system for HTTP, for better or
worse, whether we like it or not.
Java needs an utterly trivial-to-setup session cookie system.
Nico
--
More information about the krbdev
mailing list