W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #357: Authentication Exchanges

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 20 Jun 2012 12:29:53 +0200
Message-ID: <4FE1A621.2050501@gmx.de>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
CC: Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On 2012-06-20 12:08, Yutaka OIWA wrote:
> Dear Julian,
>
> 2012/6/20 Julian Reschke <julian.reschke@gmx.de>:
>>> I think this (use 401 instead of 403) should be kept for two reasons:
>>>
>>>   * Without 401 status, client will not know that changing
>>>      the user name and the password will solve the
>>>      inaccessibility issue.
>>
>>
>> Sorry?
>>
>> "The server understood the request, but refuses to authorize it. Providing
>> different user authentication credentials might be successful, but any
>> credentials that were provided in the request are insufficient. The request
>> SHOULD NOT be repeated with the same credentials." -
>> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.7.4.3>
>
> I see.  I noticed now that this was changed incompatibly from RFC 2616.
> Thank you for telling me.

Context: <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/294>

> Now I have a concern with the text for 403 status for two reasons,
>   * any recovery from failed authorization (with successful authentication)
>     is completely out of the protocol's provision, and
>   * the new definition is intentionally breaking existing server implementations.

How so? Example?

> ...

Best regards, Julian
Received on Wednesday, 20 June 2012 10:30:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 June 2012 10:30:39 GMT