W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

combining authenticated and anonymous access

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 27 Nov 2008 19:48:53 +0100
Message-ID: <492EEB95.9050001@gmx.de>
To: HTTP Working Group <ietf-http-wg@w3.org>

Hi,

over on the what wg list, the topic of how to implement a site that 
offers both authenticated and anonymous access is being discussed (see 
around 
<http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html>).

An interesting proposal is to continue returning content with status 
200, but to include the WWW-Authenticate header nevertheless. RFC2616 
currently is silent about this combination:

"14.47 WWW-Authenticate

The WWW-Authenticate response-header field MUST be included in 401 
(Unauthorized) response messages. The field value consists of at least 
one challenge that indicates the authentication scheme(s) and parameters 
applicable to the Request-URI.

     WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge

The HTTP access authentication process is described in "HTTP 
Authentication: Basic and Digest Access Authentication" [43]. User 
agents are advised to take special care in parsing the WWW-Authenticate 
field value as it might contain more than one challenge, or if more than 
one WWW-Authenticate header field is provided, the contents of a 
challenge itself can contain a comma-separated list of authentication 
parameters." -- 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47>

Has anybody tried this before?

BR, Julian
Received on Thursday, 27 November 2008 18:52:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:57 GMT