W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 18] no record of consensus for force-authenticate

From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
Date: Sat, 29 Oct 2005 08:45:42 -0400
To: " webdav" <w3c-dist-auth@w3.org>
Message-ID: <OF69B23A75.4B5E4716-ON852570A9.00456790-852570A9.00461C9B@us.ibm.com>
I agree that LOCK is the real answer here for WebDAV clients.

But for the "force-authenticate" advocates (which Julian is not):
If we are contrasting "Expect 100-Continue" vs. "force-authenticate", 
I think it would make more sense to advise servers to implement Expect
correctly rather than to introduce a new force-authenticate header.
In particular, why would one believe that a server that doesn't implement
Expect properly would implement force-authenticate properly (or at all).

Cheers,
Geoff

Julian wrote on 10/29/2005 04:20:45 AM:
> 
> Geoffrey M Clemm wrote:
> > 
> > To avoid sending the PUT body twice, why can't a client just
> > use the standard HTTP "Expect 100-Continue" header?
> 
> It could, but it's a known problem that few servers implement that 
> correctly, meaning that the expected header check is indeed skipped (for 

> instance, a server using the servlet API normally doesn't have any 
> chance doing this check, see 
> <http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4812000>).
> 
> > And if a client is proactively checking for authentication preceding
> > a series of PUT calls, then having it just perform an initial 
LOCK/UNLOCK
> > to get the credential challenge doesn't seem like an unreasonable 
overhead
> > (2 initial requests).
> > 
> > So is this just a technique for servers that want to provide this
> > capability but don't want to support LOCK? 
> 
> Seems so, because LOCK seems to be yet another existing way to get what 
> those clients want.
> 
> Best regards, Julian
> 
Received on Saturday, 29 October 2005 12:45:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT