W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2001

RE: How can an HTTP 1.1 client force a challenge

From: Jim Whitehead <ejw@cse.ucsc.edu>
Date: Mon, 27 Aug 2001 11:49:51 -0700
To: "WebDAV" <w3c-dist-auth@w3.org>, <PZehler@crt.xerox.com>, <slawrence@virata.com>, <bartman@process.com>
Message-ID: <AMEPKEBLDJJCCDEJHAMIOEIIDFAA.ejw@cse.ucsc.edu>
We have run across this issue with clients wanting to get a challenge before
sending the body of a large PUT request.

> ISSUE: How can a client force an HTTP server to issue a challenge
> before the
> client sends a POST body containing a lot of data?

> SOLUTION:
>      1.  The client sends an HTTP request header containing the
> "Expect:100-continue" header field, but waits before transmitting the
> request body.

IMO, this is the preferred solution.  The only drawback I can see is that
some of the fielded IPP servers might not support the Expect header. Thus,
you might want to have some kind of discovery mechanism available for
clients to determine if a printer supports Expect.

>      2.  The Printer (i.e. server) examines the HTTP header and decides
> whether or not to accept the HTTP request.

I think that this approach would depend too much on the semantics of client
stacks.  Does a client stack check for responses as it is sending out a
large request body? This may not be under the control of a user-space client
(i.e., if the client hands a pointer to the kernel and says "ship these
bytes" then I believe the ability to detect an early reply depends on the
implementation of the tcp stack in the kernel).

>      3a.  If the Printer accepts the HTTP request, it sends a
> 100(Continue)
> response and continues to read from the input stream. Go to 4a.

Assuming the client can handle a 100 response -- you would need to check the
installed base of IPP clients to see if this would work.

>      3b   If the Printer requires authentication, it rejects the request
> with 401 (Unauthorized) status and a "WWW-Authenticate" header field
> containing at least one challenge. Go to 4b.
>      4a.  If the client receives a 100 (Continue) response, it now has a
> reasonable expectation that the HTTP request will succeed.  The client now
> transmits the request body which contains the IPP printing
> instructions and
> print data. Go to 5.
>      4b. If the client receives a challenge, it sends a new HTTP request
> header containing an "Authorization" header field and an "Expect:
> 100-continue" header field. Go to 3a.
>      5.  After the Printer receives and processes the HTTP
> request body, it
> sends a final HTTP status code in response.

- Jim
Received on Monday, 27 August 2001 14:53:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:43:56 GMT