- From: Dave Kristol <dmk@allegra.att.com>
- Date: Thu, 17 Aug 95 15:26:02 EDT
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Last week there was some discussion about how to support multiple
WWW-Authenticate (or equivalent) headers. Here are some related
questions.
Let's assume the server sends multiple WWW-Authenticate headers for a
single resource. (Or it could be some new header; you get the idea.)
1) Can there be more than one such header that uses the same scheme
(e.g., Basic)?
1a) If so, what does it mean for a resource to be protected in more
than one realm of the same authentication scheme?
2) If the headers use more than one scheme, can (must?) the name of a realm
for one scheme be the same as the name for another?
2a) If so, then either:
2a1) The user can't tell which one is being prompted for,
because of the insistence (that I have been unable to dislodge)
that the prompt for a realm includes the name of the realm. Or
2a2) It doesn't matter, because the name/password (at least for Basic
and Digest) must be identical in both realms.
3) Does the presence of multiple headers imply that a successful
authentication by any one of them is equally acceptable to the
server?
4) Given multiple headers, how does the client choose a scheme and/or
realm for which to prompt the user?
I'll toss in my standard bleat: I think "realm" is overloaded, and the
server ought to be able to specify the realm-name, which the client can
use to distinguish protection domains, and a prompt, which the client
can use to prompt the user for whatever information is required. In the
case of 2a1, it would be possible to have the same realm name used for
different authentication schemes; different prompts would enable the
server to get the client to ask for the right stuff.
If there's any intent to introduce another header for authentication,
that would be an ideal time to add the prompt I'm asking for. The
default prompt could be what it is now, the realm-name.
Dave Kristol
Received on Thursday, 17 August 1995 12:34:45 UTC