W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Proxy Auth???

From: Dave Kristol <dmk@bell-labs.com>
Date: Fri, 07 Aug 1998 10:09:55 -0400
Message-Id: <35CB0AB3.3372@bell-labs.com>
To: Paul Leach <paulle@microsoft.com>
Cc: http-wg@hplb.hpl.hp.com
Paul Leach wrote:
> 
> Is Proxy-Authorization only sent after 407, or can it also be sent after
> 401? Section 3.6 (entitled Proxy-Authentication and Proxy-Authorization)
> says that:
> 
> Upon receiving a request which requires authentication, the proxy/server
> must issue the "HTTP/1.1 401 Unauthorized " response with a
> "Proxy-Authenticate" header.
> 
> Section 1.2 says:
> 
> The 401 (Unauthorized) response message is used by an origin server to
> challenge the authorization of a user agent. This response MUST include a
> WWW-Authenticate header field containing at least one challenge applicable
> to the requested resource. The 407 (Proxy Authentication Required) response
> message is used by a proxy to challenge the authorization of a client and
> MUST include a Proxy-Authenticate header field containing a challenge
> applicable to the proxy for the requested resource.

Sounds like a bug in the spec. to me.  WWW-Authenticate goes with 401,
Proxy-Authenticate goes with 407.

The paragraph at the end of 3.6 seems wrong.  I don't think you can get
both WWW-Authenticate *and* Proxy-Authenticate in one response.  First
you would get a 407 from the proxy, then a 401 from the origin server. 
Both could occur, of course, on one request.

Dave Kristol
Received on Friday, 7 August 1998 07:13:14 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT