auth: Don't send server response for websocket handlers

WebSocket connections don't allow us to set any headers and we cannot
validate them on the client side either.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/web/auth.py b/src/web/auth.py
index a3166ac6ebd9552c28ab9ed9be32fb69e43e2c25..51d5e0b5828e1341009be7c4be8537de66e42dec 100644 (file)
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -5,6 +5,7 @@ import kerberos
 import logging
 import os
 import tornado.web
+import tornado.websocket
 
 from . import base
 
@@ -78,11 +79,12 @@ class KerberosAuthMixin(object):
                        if not result == kerberos.AUTH_GSS_COMPLETE:
                                return self._auth_basic(auth_header)
 
-                       # Fetch the server response
-                       response = kerberos.authGSSServerResponse(context)
+                       if not isinstance(self, tornado.websocket.WebSocketHandler):
+                               # Fetch the server response
+                               response = kerberos.authGSSServerResponse(context)
 
-                       # Send the server response
-                       self.set_header("WWW-Authenticate", "Negotiate %s" % response)
+                               # Send the server response
+                               self.set_header("WWW-Authenticate", "Negotiate %s" % response)
 
                        # Return the user who just authenticated
                        user = kerberos.authGSSServerUserName(context)