W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: realms, prompts, WWW-Authenticate

From: Roy Fielding <fielding@beach.w3.org>
Date: Fri, 18 Aug 1995 13:57:58 -0400
Message-Id: <199508181758.NAA12253@beach.w3.org>
To: Dave Kristol <dmk@allegra.att.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>Last week there was some discussion about how to support multiple
>WWW-Authenticate (or equivalent) headers.  Here are some related
>questions.
>
>Let's assume the server sends multiple WWW-Authenticate headers for a
>single resource.  (Or it could be some new header; you get the idea.)
>
>1) Can there be more than one such header that uses the same scheme
>    (e.g., Basic)?

Yes.

>1a) If so, what does it mean for a resource to be protected in more
>    than one realm of the same authentication scheme?

It means the user may be authenticated by one of the authorization
databases corresponding to those realms.

>2) If the headers use more than one scheme, can (must?) the name of a realm
>    for one scheme be the same as the name for another?

Nope.

>3) Does the presence of multiple headers imply that a successful
>    authentication by any one of them is equally acceptable to the
>    server?

Yes, assuming that the user is capable of being authorized by
at least one.  However, Basic will be deprecated (and thus "less good")
if there are any other alternatives.

>4) Given multiple headers, how does the client choose a scheme and/or
>    realm for which to prompt the user?

That would be up to the browser.

 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)
Received on Friday, 18 August 1995 10:59:40 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:25 EDT