W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Authorization with WWW-Authenticate (bis)

From: Sylvain Hellegouarch <sh@defuze.org>
Date: Fri, 23 Oct 2009 17:57:01 +0200 (CEST)
Message-ID: <39775.>
To: ietf-http-wg@w3.org
Hi all,

Following http://www.w3.org/Protocols/HTTP/1.1/rfc2616bis/issues/#i78 I've
been left wondering how to convey the following semantic with HTTP:

* The request was not fulfilled due to authorization failure and the
server (does not wish to)/(cannot) specify which scheme must be used.

The context is based on HTTP requests issued from Javascript along with a
cookie based authentication system.

RFC 2616 tells me I cannot reply neither with a 401 without a scheme nor
can I use a 403 since subsequent Authorization would not help.

At first I was tempted to simply use one of the 30x code to inform the
Javascript handler that it should act accordingly but browsers don't
bubble up 30x responses to the Javascript stack which leaves me the
already burdened 400.

There seemed to be a consensus two years ago not to split the
Authorization header from its WWW-Authenticate friend but to me the
semantic of one without the other remains.

Today I'm merely seeking the group advice on what would be the best
decision to make.

- Sylvain
Sylvain Hellegouarch
Received on Friday, 23 October 2009 15:57:29 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC