W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

RE: combining authenticated and anonymous access

From: Thomas Maslen <Thomas.Maslen@quest.com>
Date: Thu, 27 Nov 2008 12:35:12 -0800
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <723530449330F342A68634ADF3CE8DE2032BAACD61@alvxmbw02.prod.quest.corp>

Julian Reschke julian.reschke@gmx.de wrote:

> [...] An interesting proposal is to continue returning content with status 200, but to include the WWW-Authenticate header nevertheless.  RFC2616 currently is silent about this combination

Note that there is at least one scenario where a response with 200 status (and content) may already include a "WWW-Authenticate" header.  See RFC 4559, section 4.1, "A status code 200 response can also carry a 'WWW-Authenticate' response header containing the final leg of an authentication".

Of course the difference between this and the proposal you cited is that in RFC 4559 this only happens after the client has sent an "Authorization: Negotiate <big Base64 blob>" header [*] and the server has used that to authenticate the client, whereas in the proposal you're looking at this would happen when the client has not authenticated to the server (but the server is happy with unauthenticated clients).

[*] This can happen either because the most recent response from the server was a 401 with a "WWW-Authenticate: Negotiate" challenge or because the client decides to preemptively send the Authorization header -- Internet Explorer does this for every POST (and, I assume, for any other HTTP request that has a content-body) after it discovers that the server expects Negotiate authentication
Received on Thursday, 27 November 2008 20:35:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:47 UTC