Re: 411 response code: clarification, please from Roy Fielding on 1995-08-18 (ietf-http-wg@w3.org from July to September 1995)

From: Roy Fielding <fielding@beach.w3.org>
Date: Fri, 18 Aug 1995 16:38:06 -0400
To: Jim Seidman <jim@spyglass.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <199508182038.QAA13106@beach.w3.org>

>Could you summarize why 411 is needed?  If I'm reading draft 01 right,
>anytime someone mistypes their username or password for Basic authentication
>the server should send back 411.  I know this change will break at least
>some of the existing web browsers, since they look for 401 to trigger their
>authentication code.  There should be a very compelling reason to make a
>major change from current practice, especially since current practice is so
>widely implemented.

Well, here's the problem:

   User requests a protected URI
                                    Server returns 401 Unauthorized
   User Agent presents pop-up dialog
   User enters authentication info
   (or just OKs a stored credential)
   UA repeats request using credentials
                                    Server interprets credentials, and
                                    finds them lacking
                                    Server returns 401 Unauthorized
   User Agent presents pop-up dialog
   User enters authentication info
   (or just OKs a stored credential)
   UA repeats request using credentials
                                    Server interprets credentials, and
                                    finds them lacking
                                    Server returns 401 Unauthorized
   ...

The problem is that the User Agent is not showing the user why
the authentication failed.  This is not a problem for Basic AA
because it is a simple user:passwd scheme, and it is probably
best that the user not know why it failed.

However, consider the case of something like Mediated Digest AA,
the failure may be do to any number of reasons -- some of which
may be correctable by the user outside the scope of this user agent.
The user agent needs to know that it must show the user the entity
enclosed with the response.

So, the question is, do we want to require that a 401 response
be shown to the user if Authorization for the indicated scheme+realm
has already been tried and failed?  If yes, then we don't need 411.
If no, then we will need 411.

BTW, it was added because of a prior thread on this list regarding
someone's desire to say "authorization refused" AND explain what
the user must to do to get authorization.  Existing user agents made
that impossible because they never show the contents of 401.


 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)

Received on Friday, 18 August 1995 13:41:04 UTC