File mod_auth_kerb-cache_auth.patch of Package apache2-mod_auth_kerb

--- src/mod_auth_kerb.c.orig	2008-12-04 11:14:03.000000000 +0100
+++ src/mod_auth_kerb.c	2009-07-17 23:10:15.000000000 +0200
@@ -157,6 +157,7 @@
 	const char *krb_service_name;
 	int krb_authoritative;
 	int krb_delegate_basic;
+	int krb_cache_auth;
 #if 0
 	int krb_ssl_preauthentication;
 #endif
@@ -220,6 +221,9 @@
    command("KrbDelegateBasic", ap_set_flag_slot, krb_delegate_basic,
      FLAG, "Always offer Basic authentication regardless of KrbMethodK5Pass and pass on authentication to lower modules if Basic headers arrive."),
 
+   command("KrbCacheAuthentication", ap_set_flag_slot, krb_cache_auth,
+     FLAG, "Cache authentication per connection, which provides a substantial performance boost."),
+
 #if 0
    command("KrbEnableSSLPreauthentication", ap_set_flag_slot, krb_ssl_preauthentication,
      FLAG, "Don't do Kerberos authentication if the user is already authenticated using SSL and her client certificate."),
@@ -325,6 +329,7 @@
 	((kerb_auth_config *)rec)->krb_service_name = NULL;
 	((kerb_auth_config *)rec)->krb_authoritative = 1;
 	((kerb_auth_config *)rec)->krb_delegate_basic = 0;
+	((kerb_auth_config *)rec)->krb_cache_auth = 0;
 #if 0
 	((kerb_auth_config *)rec)->krb_ssl_preauthentication = 0;
 #endif
@@ -936,6 +941,7 @@
    const char      *sent_name = NULL;
    const char      *realms = NULL;
    const char      *realm = NULL;
+   const char      *cached_auth_info = NULL;
    krb5_context    kcontext = NULL;
    krb5_error_code code;
    krb5_principal  client = NULL;
@@ -954,6 +960,20 @@
       return HTTP_INTERNAL_SERVER_ERROR;
    }
 
+   /* see if we already authenticated this connection */
+   if (conf->krb_delegate_basic) {
+      cached_auth_info = apr_table_get(r->connection->notes, "KRBCACHEDAUTHINFO");
+      if (cached_auth_info) {
+         if (!strcmp(auth_line, cached_auth_info)) {
+            MK_USER = apr_pstrdup(r->pool, apr_table_get(r->connection->notes, "KRBCACHEDUSER"));
+            ret = OK;
+            goto end;
+         } else {
+            apr_table_unset(r->connection->notes, "KRBCACHEDAUTHINFO");
+         }
+      }
+   }
+
    sent_pw = ap_pbase64decode(r->pool, auth_line);
    sent_name = ap_getword_nulls_nc (r->pool, (char **) &sent_pw, ':');
 
@@ -1067,6 +1087,12 @@
    if (conf->krb_save_credentials)
       store_krb5_creds(kcontext, r, conf, ccache);
 
+
+   if (conf->krb_delegate_basic) {
+      apr_table_set(r->connection->notes, "KRBCACHEDAUTHINFO", auth_line);
+      apr_table_set(r->connection->notes, "KRBCACHEDUSER", MK_USER);
+   }
+
    ret = OK;
 
 end:
--- README.orig	2009-07-17 23:10:29.000000000 +0200
+++ README	2009-07-17 23:12:16.000000000 +0200
@@ -93,6 +93,15 @@
    authentication scheme in Apache (Apache 2.1 seems to provide better support
    for multiple various authentication mechanisms).
 
+KrbCacheAuthentication on  | off (set to off by default)
+   Enabling this option causes authentication information to be cached by
+   connection. Thus, if the principal has already been authenticated on
+   the same connection, the result of that authentication is re-used,
+   instead of authenticating against the KDC again.
+   This option provides a substantial performance boost, but is disabled by
+   default because it has not yet been merged upstream and is to be regarded
+   as experimental.
+
 Note on server principals
 -------------------------
 Now you have to create an service key for the module, which is needed to