Strictly speaking you won't know the type until it is send; before that any code might still change the response. In any case you don't want to run a bunch of code just to figure out if whether you want to allow the user access.

So, in other words, if you can't figure out the content-type from the url, I would suggest you use a more structured approach and put non-authorization-required content under a seperate path: "http://example.com/public/" and "http://example.com/auth/" for instance, and then you can easily match the uri in the auth phase, or even configure apache to just run the auth handlers for the right content.