W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 18] no record of consensus for force-authenticate

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 29 Oct 2005 10:20:45 +0200
Message-ID: <436330DD.2050603@gmx.de>
To: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
CC: webdav <w3c-dist-auth@w3.org>

Geoffrey M Clemm wrote:
> 
> To avoid sending the PUT body twice, why can't a client just
> use the standard HTTP "Expect 100-Continue" header?

It could, but it's a known problem that few servers implement that 
correctly, meaning that the expected header check is indeed skipped (for 
instance, a server using the servlet API normally doesn't have any 
chance doing this check, see 
<http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4812000>).

> And if a client is proactively checking for authentication preceding
> a series of PUT calls, then having it just perform an initial LOCK/UNLOCK
> to get the credential challenge doesn't seem like an unreasonable overhead
> (2 initial requests).
> 
> So is this just a technique for servers that want to provide this
> capability but don't want to support LOCK?  

Seems so, because LOCK seems to be yet another existing way to get what 
those clients want.

Best regards, Julian
Received on Saturday, 29 October 2005 08:21:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT