- From: Eric W. Sink <eric@spyglass.com>
- Date: Tue, 20 Dec 1994 15:14:49 -0600
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
The following section from Draft 01 seems odd.
>6.4.2 WWW-Authenticate
>
> The WWW-Authenticate header field must be included as part of the
> response if the server sends back a "401 Unauthorized" Status-Code
> on a request from the client as part of the Basic Authentication
> Scheme described in Section 9. This header field indicates the
> authentication scheme in use and the realm in which the requested
> URI belongs.
>
> WWW-Authenticate = "WWW-Authenticate" ":" (
> ( "Basic" realm )
> | ( extension-scheme realm ) )
>
> realm = "Realm" "=" 1#( "<" URI ">" )
>
> The first word of the field value identifies the authorization
> scheme in use and is followed by the realm of the protected URI.
> The realm is a comma separated list of URIs, where relative URLs
> should be interpreted relative to the URI of the requested resource
> in the RequestLine. If a request is authenticated and a realm
> specified, the User-ID and password should be valid for all other
> requests within this realm.
>
> Note: The realm may span more than one origin server.
I'm not aware that people generally use the realm as a comma separated
list of URIs. I remember hearing someone say at the BOF that it would
be nice to be able to specify that URIs on other machines can be accessed
as part of the same realm. Perhaps this section has been phrased
accordingly?
Was this section written to reflect current practice, or was it written to
be better than current practice?
--
Eric W. Sink, Senior Software Engineer -- eric@spyglass.com
I don't speak for Spyglass.
"Can I get a direct flight back to reality, or do I have to change planes
in Denver?" - The Santa Clause
Received on Tuesday, 20 December 1994 12:10:53 UTC