W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: Issue 146, was: Users with different access rights in HTTP Authentication

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 21 Jul 2010 14:43:11 +0200
To: Julian Reschke <julian.reschke@gmx.de>
Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>, Martin Atkins <mart@degeneration.co.uk>
Message-ID: <20100721124311.GB1194@1wt.eu>
On Wed, Jul 21, 2010 at 01:46:38PM +0200, Julian Reschke wrote:
(...)
> On 19.07.2010 23:13, Willy Tarreau wrote:
> > ...
> > or also "not acceptable" ?
> > ...
> 
> That would create confusion with the Accept header and status code 406.

Good point! Let's forget this one then.

(...)
> OK, so:
> 
> 401 -> you can't do this because you haven't authenticated
> 
> 403 -> this is forbidden for you, but authenticating as somebody else 
> may help
> 
> 405 -> this method is not allowed/supported/applicable for this resource
> 
> The use case you mentioned is interesting and came up before: what's a 
> good way to signal to non-authenticated users that authenticating might 
> give access to more operations? "Vary: Authorization" comes to mind. But 
> that still would require the "public" server to know about the 
> "authoring" server, in which case it might be possible to properly 
> return information about method support...

Anyway, it still leaves open the expected behaviour on the client. What
should a client do when facing such a response which indicates that
(re-)authenticating as a different user *may* help satisfy the condition ?

Regards,
Willy
Received on Wednesday, 21 July 2010 12:43:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:23 GMT