W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Re: Interop issue: how can clients force authentication?

From: Ilya Kirnos <ilya.kirnos@oracle.com>
Date: Tue, 17 Sep 2002 12:20:50 -0700
Message-ID: <3D878092.92497362@oracle.com>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Webdav WG <w3c-dist-auth@w3c.org>


Stefan Eissing wrote:

> Ilya,
>
> Am Dienstag den, 17. September 2002, um 01:35, schrieb Ilya Kirnos:
>
> >
> > Clients currently have no reliable means of forcing the server to
> > authenticate them (they can try to preemptively send credentials, but
> > this works only for basic auth, not for digest).  This can lead to
> > situations where the client finds out that it was required to
> > authenticate too late and only after doing lots of work, such as when
> > putting a large file only to get a 401 back at the end of the transfer.
>
> A bad user experience, agreed.
>
> However it would be more elegant if the client could send
> the request without the server executing it and checking thus
> the authentication for the specific method call. That would also
> give any intermediates, like proxies, a chance to determine if
> they need any authorization.
>
> My idea would be to use the IF header for this purpose. A client
> can send a request with an invalid lock token in the IF header.
> The server, being DAV-compliant, will never execute the request.
>
> Now this solution depends on the order of authentication vs. IF
> header check. Therefore my proposal depends on
>
> - does every known server check authentication before lock tokens?
> - could 2518bis say something like: "All user authentication SHOULD
>    take place before other request headers like IF are processed."?
>

i'm not sure this would work, since DAV servers don't even have to support
locking to be compliant.

-ilya
Received on Tuesday, 17 September 2002 15:19:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT