W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: combining authenticated and anonymous access

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 16 Apr 2009 11:12:07 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <DEB10FE9-9F93-4C2B-BFB3-71E71644EE4B@mnot.net>
To: Julian Reschke <julian.reschke@gmx.de>
I think this is related to #78; I've put a note there.

http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78


On 28/11/2008, at 5:48 AM, Julian Reschke wrote:

>
> Hi,
>
> over on the what wg list, the topic of how to implement a site that  
> offers both authenticated and anonymous access is being discussed  
> (see around <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html 
> >).
>
> An interesting proposal is to continue returning content with status  
> 200, but to include the WWW-Authenticate header nevertheless.  
> RFC2616 currently is silent about this combination:
>
> "14.47 WWW-Authenticate
>
> The WWW-Authenticate response-header field MUST be included in 401  
> (Unauthorized) response messages. The field value consists of at  
> least one challenge that indicates the authentication scheme(s) and  
> parameters applicable to the Request-URI.
>
>    WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge
>
> The HTTP access authentication process is described in "HTTP  
> Authentication: Basic and Digest Access Authentication" [43]. User  
> agents are advised to take special care in parsing the WWW- 
> Authenticate field value as it might contain more than one  
> challenge, or if more than one WWW-Authenticate header field is  
> provided, the contents of a challenge itself can contain a comma- 
> separated list of authentication parameters." -- <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47 
> >
>
> Has anybody tried this before?
>
> BR, Julian
>


--
Mark Nottingham     http://www.mnot.net/
Received on Thursday, 16 April 2009 01:12:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:02 GMT