W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 26 Jul 2011 21:55:23 +0200
Message-ID: <4E2F1BAB.2090604@gmx.de>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2011-07-26 15:47, Yutaka OIWA wrote:
> On 2011/07/26 22:28, Yutaka OIWA wrote:
>
>> And if this change text intends to introduce any opportunity
>> for optional authentication to HTTP at this time,
>> I think we need more detailed restrictions to make it really work.
>> If the intention is just to clarify header meanings and
>> leave the rest for future work, it is OK for me.
>
> just FYI, the following is the list of required additional rules
> to make optional auth work.
>
> (1) The response for successful authentication MUST NOT contain
>      any WWW-Authenticate: header.

Not sure about that.

If we allow WWW-A on a non-authenticated 200 response, why not also on 
an authenticated one?

> (2) The response for failed authentication is RECOMMENDED to be
>      401 status, even if a request for the same URL and method without
>      Authorization: header will result in 200 status with WWW-Authenticate:
>      header.

I agree with this one, but, as Mark said, let's leave that to future work.

 > ...

Best regards, Julian
Received on Tuesday, 26 July 2011 19:56:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT