W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Re: Interop issue: how can clients force authentication?

From: Roy T. Fielding <fielding@apache.org>
Date: Mon, 16 Sep 2002 17:36:40 -0700
Cc: Webdav WG <w3c-dist-auth@w3c.org>
To: Ilya Kirnos <ilya.kirnos@oracle.com>
Message-Id: <8849D3D8-C9D5-11D6-8B7B-000393753936@apache.org>

Authorization is granted/denied based on the method of the request.
There might even be different challenges per method.  In other words,
this idea won't work for HTTP.

The original idea of OPTIONS was that, if the client wished to test the
options for a specific request, then it would include that request's
request-line and headers in the body of the OPTIONS request.  The server
would then look at the body to determine what the options would be and
report that back to the client.  However, since the WG did not want to
define the format of such a response, the feature got dropped.

The alternative was to simply issue the request with Expect: 100-continue.

I don't know if that is sufficient for your problem, but I do know that
using a T/F request header field on OPTIONS is not.  A minimum would be
to list the methods in that field instead.  I also suggest finding a
less verbose field name.

....Roy
Received on Monday, 16 September 2002 20:36:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT