W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

RE: Interop issue: how can clients force authentication?

From: Clemm, Geoff <gclemm@rational.com>
Date: Tue, 17 Sep 2002 22:57:15 -0400
Message-ID: <3906C56A7BD1F54593344C05BD1374B10841D7BE@SUS-MA1IT01>
To: Webdav WG <w3c-dist-auth@w3c.org>

   From: Ilya Kirnos [mailto:ilya.kirnos@oracle.com]

   Julian Reschke wrote:

   > Try a PUT with known-to-fail If header first (-> Stefan's
   > proposal).

I agree that Stefan's proposal is the most appealing.

   maybe.  what's known to fail?

   > An invalid lock token, an invalid ETag, ...

Actually, I'd suggest a simple logical contradition, i.e.:

If: ("A" Not "A")

   again, i'd like to stay away from a dependency on locking if
   possible, and etags support isn't required if i recall correctly.

etag support isn't required, and locking support isn't required,
but support for the If header is required.

So I suggest we check whether any server which does the If check
before it does an authentication check.  It certainly shouldn't,
since the success or failure of the If check tells you something
about the resource which you probably shouldn't know if you are
not authenticated.

I would have no objection to adding a statement to 2518bis that
states that a server SHOULD do authentication checks before any
If checks.

Cheers,
Geoff
Received on Tuesday, 17 September 2002 22:57:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT