W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: Basic Authentication behavior

From: Ari Luotonen <luotonen@netscape.com>
Date: Mon, 8 Sep 1997 10:58:30 -0700 (PDT)
Message-Id: <199709081758.KAA20091@step.mcom.com>
To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com

Regarding "heuristics" and "guessing" with authentication.

I believe I wrote the original proposal and spec for basic auth used
in HTTP.  I would like to make the point that the intention was that
HTTP basic authentication be hierarchical, and that the rules not be
heuristics, but simply the way it is defined.  If the request for:

	http://.../foo/bar

requires authentication, then the U-A will assume that all documents
starting with the prefix:

	http://.../foo/

will require it.  It applies to the entire subtree, e.g:

	http://.../foo/baz/xyzzy/hello/world

Similarly, any document in the server's root directory:

	http://.../foo

requiring authentication will imply that the whole server is
password-protected, including the index file and any files and
subdirectories:

	http://.../
	http://.../bar

Cheers,
--
Ari Luotonen, Mail-Stop MV-061		Opinions my own, not Netscape's.
Netscape Communications Corp.		ari@netscape.com
501 East Middlefield Road		http://people.netscape.com/ari/
Mountain View, CA 94043, USA		Netscape Proxy Server Development
Received on Monday, 8 September 1997 11:02:18 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:00 EDT