Mark Nottingham wrote: > > Discussion on the list, as well as in Chicago, seems to be leaning > towards firming up the combination of 401, WWW-Authenticate and > Authorization as a framework, possibly described separately. > > If that's the case, I'd take a stab and say that 401 is specific to > authentication mechanisms that use that framework. I.e., it's not just a > challenge for *any* authentication to be presented, but for > authentication to be presented using the header defined for it. After > all, 401 and WWW-Authenticate are already tightly bound (as you point out). > > Does that seem reasonable? Not fully convinced. If we say that 401 may only be used for authentication within the RFC2617 framework, then we either - force servers to use that framework (unlikely to succeed with today's schemes), or - force servers not to return a 401 at all. I think the latter would be bad: in this case I'd prefer a 401 over a 400 or (gasp!) a 200. Best regards, JulianReceived on Friday, 17 August 2007 09:30:44 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT