W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: WWW-Authenticate, Authorization and 401's

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 17 Aug 2007 11:30:23 +0200
Message-ID: <46C56AAF.4040300@gmx.de>
To: Mark Nottingham <mnot@mnot.net>
CC: Hugo Haas <hugo@yahoo-inc.com>, ietf-http-wg@w3.org

Mark Nottingham wrote:
> Discussion on the list, as well as in Chicago, seems to be leaning 
> towards firming up the combination of 401, WWW-Authenticate and 
> Authorization as a framework, possibly described separately.
> If that's the case, I'd take a stab and say that 401 is specific to 
> authentication mechanisms that use that framework. I.e., it's not just a 
> challenge for *any* authentication to be presented, but for 
> authentication to be presented using the header defined for it. After 
> all, 401 and WWW-Authenticate are already tightly bound (as you point out).
> Does that seem reasonable?

Not fully convinced.

If we say that 401 may only be used for authentication within the 
RFC2617 framework, then we either

- force servers to use that framework (unlikely to succeed with today's 
schemes), or

- force servers not to return a 401 at all.

I think the latter would be bad: in this case I'd prefer a 401 over a 
400 or (gasp!) a 200.

Best regards, Julian
Received on Friday, 17 August 2007 09:30:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:43 UTC