- From: Dave Kristol <dmk@bell-labs.com>
- Date: Fri, 07 Aug 1998 10:09:55 -0400
- To: Paul Leach <paulle@microsoft.com>
- Cc: http-wg@hplb.hpl.hp.com
Paul Leach wrote: > > Is Proxy-Authorization only sent after 407, or can it also be sent after > 401? Section 3.6 (entitled Proxy-Authentication and Proxy-Authorization) > says that: > > Upon receiving a request which requires authentication, the proxy/server > must issue the "HTTP/1.1 401 Unauthorized " response with a > "Proxy-Authenticate" header. > > Section 1.2 says: > > The 401 (Unauthorized) response message is used by an origin server to > challenge the authorization of a user agent. This response MUST include a > WWW-Authenticate header field containing at least one challenge applicable > to the requested resource. The 407 (Proxy Authentication Required) response > message is used by a proxy to challenge the authorization of a client and > MUST include a Proxy-Authenticate header field containing a challenge > applicable to the proxy for the requested resource. Sounds like a bug in the spec. to me. WWW-Authenticate goes with 401, Proxy-Authenticate goes with 407. The paragraph at the end of 3.6 seems wrong. I don't think you can get both WWW-Authenticate *and* Proxy-Authenticate in one response. First you would get a 407 from the proxy, then a 401 from the origin server. Both could occur, of course, on one request. Dave Kristol
Received on Friday, 7 August 1998 07:13:14 UTC