- From: Roy Fielding <fielding@beach.w3.org>
- Date: Fri, 18 Aug 1995 13:57:58 -0400
- To: Dave Kristol <dmk@allegra.att.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>Last week there was some discussion about how to support multiple
>WWW-Authenticate (or equivalent) headers. Here are some related
>questions.
>
>Let's assume the server sends multiple WWW-Authenticate headers for a
>single resource. (Or it could be some new header; you get the idea.)
>
>1) Can there be more than one such header that uses the same scheme
> (e.g., Basic)?
Yes.
>1a) If so, what does it mean for a resource to be protected in more
> than one realm of the same authentication scheme?
It means the user may be authenticated by one of the authorization
databases corresponding to those realms.
>2) If the headers use more than one scheme, can (must?) the name of a realm
> for one scheme be the same as the name for another?
Nope.
>3) Does the presence of multiple headers imply that a successful
> authentication by any one of them is equally acceptable to the
> server?
Yes, assuming that the user is capable of being authorized by
at least one. However, Basic will be deprecated (and thus "less good")
if there are any other alternatives.
>4) Given multiple headers, how does the client choose a scheme and/or
> realm for which to prompt the user?
That would be up to the browser.
....Roy T. Fielding Department of ICS, University of California, Irvine USA
Visiting Scholar, MIT/LCS + World-Wide Web Consortium
(fielding@w3.org) (fielding@ics.uci.edu)
Received on Friday, 18 August 1995 10:59:40 UTC