Re: combining authenticated and anonymous access

I think this is related to #78; I've put a note there.

http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78


On 28/11/2008, at 5:48 AM, Julian Reschke wrote:

>
> Hi,
>
> over on the what wg list, the topic of how to implement a site that  
> offers both authenticated and anonymous access is being discussed  
> (see around <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html 
> >).
>
> An interesting proposal is to continue returning content with status  
> 200, but to include the WWW-Authenticate header nevertheless.  
> RFC2616 currently is silent about this combination:
>
> "14.47 WWW-Authenticate
>
> The WWW-Authenticate response-header field MUST be included in 401  
> (Unauthorized) response messages. The field value consists of at  
> least one challenge that indicates the authentication scheme(s) and  
> parameters applicable to the Request-URI.
>
>    WWW-Authenticate  = "WWW-Authenticate" ":" 1#challenge
>
> The HTTP access authentication process is described in "HTTP  
> Authentication: Basic and Digest Access Authentication" [43]. User  
> agents are advised to take special care in parsing the WWW- 
> Authenticate field value as it might contain more than one  
> challenge, or if more than one WWW-Authenticate header field is  
> provided, the contents of a challenge itself can contain a comma- 
> separated list of authentication parameters." -- <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47 
> >
>
> Has anybody tried this before?
>
> BR, Julian
>


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 16 April 2009 01:12:50 UTC