W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 25 Jul 2011 19:37:03 +1200
Message-ID: <4E2D1D1F.7000707@qbik.com>
To: Willy Tarreau <w@1wt.eu>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>


On 25/07/2011 4:40 p.m., Willy Tarreau wrote:
> On Mon, Jul 25, 2011 at 01:29:30PM +1200, Adrien de Croy wrote:
>>>>> 1) Clarify that WWW-Authenticate can appear on any response, and that
>>>>> when it appears on any other than a 401, it means that the client can
>>>>> optionally present the request again with a credential.
>>>> Does this mean it's only for other 4xx or for any status ? It might have
>>>> implications with non-idempotent requests if a client can repost a request
>>>> that led to a 200 for instance.
>>> Any status. Good point about non-idempotent requests; we'll need to make
>>> clear it's not about automatically retrying requests, but instead that
>>> sending the same request with credentials might have a different affect.
>> isn't this redundant?
>>
>> I see requests with credentials all the time, when no previous
>> WWW-Authorize had been sent in any response.
> Normally they're doing this when they have seen once a 401 with
> WWW-Authenticate. Here the idea is that the server might present
> the header on something different from the 401 (eg: here is your
> data, but if you authenticate I could probably serve something
> more specific to you).

actually we mostly see it when the client agent is a script, downstream 
proxy, tunneling (non-http) client or other non-browser.

They send the header from request #1.

Of course this ignores the issue about whether the method chosen is 
supported / advertised.  Normally it's Basic as well.

Adrien


>
> Regards,
> Willy
>
>

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Monday, 25 July 2011 07:37:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT