- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 16 Apr 2009 11:12:07 +1000
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
I think this is related to #78; I've put a note there. http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78 On 28/11/2008, at 5:48 AM, Julian Reschke wrote: > > Hi, > > over on the what wg list, the topic of how to implement a site that > offers both authenticated and anonymous access is being discussed > (see around <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-November/017562.html > >). > > An interesting proposal is to continue returning content with status > 200, but to include the WWW-Authenticate header nevertheless. > RFC2616 currently is silent about this combination: > > "14.47 WWW-Authenticate > > The WWW-Authenticate response-header field MUST be included in 401 > (Unauthorized) response messages. The field value consists of at > least one challenge that indicates the authentication scheme(s) and > parameters applicable to the Request-URI. > > WWW-Authenticate = "WWW-Authenticate" ":" 1#challenge > > The HTTP access authentication process is described in "HTTP > Authentication: Basic and Digest Access Authentication" [43]. User > agents are advised to take special care in parsing the WWW- > Authenticate field value as it might contain more than one > challenge, or if more than one WWW-Authenticate header field is > provided, the contents of a challenge itself can contain a comma- > separated list of authentication parameters." -- <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.47 > > > > Has anybody tried this before? > > BR, Julian > -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 16 April 2009 01:12:50 UTC