#314: realm parameter syntax from Julian Reschke on 2011-11-20 (ietf-http-wg@w3.org from October to December 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 20 Nov 2011 17:51:39 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4EC9301B.5010002@gmx.de>

Context:

   http://trac.tools.ietf.org/wg/httpbis/trac/ticket/314

and

   http://greenbytes.de/tech/tc/httpauth/#simplebasictok

Proposed Change:

Remove the parameter-specific ABNF and describe the syntax in prose; 
noting that many recipients accept token as well, thus new recipients 
may have to, as well.

The new description would read:

2.2.  Protection Space (Realm)

    The authentication parameter realm is reserved for use by
    authentication schemes that wish to indicate the scope of protection.

    A protection space is defined by the canonical root URI (the scheme
    and authority components of the effective request URI; see Section
    4.3 of [Part1]) of the server being accessed, in combination with the
    realm value if present.  These realms allow the protected resources
    on a server to be partitioned into a set of protection spaces, each
    with its own authentication scheme and/or authorization database.
    The realm value is a string, generally assigned by the origin server,
    which can have additional semantics specific to the authentication
    scheme.  Note that there can be multiple challenges with the same
    auth-scheme but different realms.

    The protection space determines the domain over which credentials can
    be automatically applied.  If a prior request has been authorized,
    the same credentials MAY be reused for all other requests within that
    protection space for a period of time determined by the
    authentication scheme, parameters, and/or user preference.  Unless
    otherwise defined by the authentication scheme, a single protection
    space cannot extend outside the scope of its server.

    For historical reasons, senders MUST only use the quoted-string
    syntax.  Recipients might have to support both token and quoted-
    string syntax as both have been accepted by common user-agents for
    many years.


See also: 
<http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/314/314.diff>

Feedback appreciated, Julian

Received on Sunday, 20 November 2011 16:52:46 UTC