W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2007

Re: WWW-Authenticate, Authorization and 401's

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 17 Aug 2007 12:34:14 +0200
Message-ID: <46C579A6.8020307@gmx.de>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Mark Nottingham <mnot@mnot.net>, Hugo Haas <hugo@yahoo-inc.com>, ietf-http-wg@w3.org

Stefan Eissing wrote:
> 
> Am 17.08.2007 um 11:30 schrieb Julian Reschke:
>> - force servers not to return a 401 at all.
>>
>> I think the latter would be bad: in this case I'd prefer a 401 over a 
>> 400 or (gasp!) a 200.
> 
> Well, sending WWW-Authenticate along with 401 is a MUST. So, how would a 
> server send a 401 *without*
>  complying to the basic framework Mark is talking about?

In theory it could invent an auth scheme name (and then not support it). 
For a client that would be indistinguishable from a real scheme that it 
happens not to support.

I just want to make sure that we don't end up promoting serving HTML 
login forms with 200, because 401 isn't allowed. Maybe the language for 
401 could be enhanced to state that if a server does require some kind 
of authentication, but does not support HTTP auth, 403 SHOULD be used?

Best regards, Julian
Received on Friday, 17 August 2007 10:34:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT