W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #195, was: ABNF for Authorization header not quite right

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 07 Aug 2011 20:28:03 +0200
Message-ID: <4E3ED933.4000506@gmx.de>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 2011-07-29 01:45, Manger, James H wrote:
>>> RFC 4559 "SPEGNO/NTLM/Negotiate" might specify that, but I don't think it can work as it makes parsing ambiguous. For instance, does the following response header include 1 scheme with 4 parameters, or 2 or 3 schemes? Is "tuv" another authentication scheme supported by this server, or a parameter of the "ABC" scheme?
>>>     WWW-Authenticate: ABC xyz, a=1, qrs, tuv
>> The ABNF says:
>>      challenge   = auth-scheme 1*SP 1#auth-param
>> so there needs to be at least one auth-param, separated by one or more SPs.
> NTLM doesn't include any params initially.
> A recent HTTPbis change made the 1 and only previously-required parameter 'realm' optional.
> So the syntax should be adjusted not to require any params. At which point a base64 blob that isn't the first param would be ambiguous.
> ...


again sorry for the slow feedback.

I spent some time on


making sure that what RFC 2616/7 specify is actually parseable (it seems 
to, I've done with with XSLT 2 and regexps). (Feedback on more tests 

Summarizing where we are:

- we introduce a b64 grammar production

- we remove the at-least one auth-param requirement from the ABNF 
(actually, that should be done as part of issue 

- we allow b64 both in challenges and credentials *instead* of a list of 
auth-params (we believe a single b64 is sufficient for Negotiate & friends)

Best regards, Julian
Received on Sunday, 7 August 2011 18:28:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:58 UTC