W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

RE: Interop issue: how can clients force authentication?

From: Lisa Dusseault <lisa@xythos.com>
Date: Tue, 17 Sep 2002 23:12:04 -0700
To: "'Jason Crawford'" <nn683849@smallcue.com>
Cc: "'Ilya Kirnos'" <ilya.kirnos@oracle.com>, "'Julian Reschke'" <julian.reschke@gmx.de>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
Message-ID: <00e701c25eda$504efaf0$b701a8c0@xythoslap>

> -----Original Message-----
> From: Jason Crawford [mailto:nn683849@smallcue.com]
> Sent: Tuesday, September 17, 2002 9:34 PM
> To: Lisa Dusseault
> Cc: 'Ilya Kirnos'; 'Julian Reschke'; 'Webdav WG'
> Subject: RE: Interop issue: how can clients force authentication?
> 
> > There may be other methods which an unauthenticated user can receive
a
> > success response, but which would work even better if the user were
> > authenticated.
> 
> Shouldn't the server just ask for authentication for those methods?
> 

Not necessarily; if it's possible for the request to return a success
response if the user is unauthenticated, then the server must do so
right away or it may never be able to give a success response.

If a 401 error is returned the first time a client asks to do one of
these methods (like a PROPFIND to a partially-readable collection), how
does the server know the client will ever make the same request?  Maybe
the user doesn't know a username/password and so hits "cancel", and the
client doesn't retry.  And if the client software retries, again without
a username/password, by your logic the server would just respond 401
again.

Lisa
Received on Wednesday, 18 September 2002 02:22:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:01 GMT