- From: Ilya Kirnos <ilya.kirnos@oracle.com>
- Date: Mon, 16 Sep 2002 16:35:44 -0700
- To: Webdav WG <w3c-dist-auth@w3c.org>
Clients currently have no reliable means of forcing the server to authenticate them (they can try to preemptively send credentials, but this works only for basic auth, not for digest). This can lead to situations where the client finds out that it was required to authenticate too late and only after doing lots of work, such as when putting a large file only to get a 401 back at the end of the transfer. To address this problem, it was proposed to add a Force-Authenticate OPTIONS header which would force a compliant server to issue an authentication challenge to the client, a la: Force-Authenticate = "Force-Authenticate" ":" ("T" | "F") The Force-Authenticate header would be used with the OPTIONS method to specify that the client wants to be challenged for authentication credentials to the resource identified by the Request-URI. A value of "T" indicates that a compliant DAV server MUST respond with a 401 Unauthorized status code (see [RFC2068], section 10.4.2) if the resource identified by the Request-URI is protected, i.e., there exists a DAV method (read, write, or otherwise) that may result in a 401 response for this Request-URI. Put another way, if the server does *not* respond with a 401, it is guaranteeing to the client that any DAV operation it may want to apply to the Request-URI will not return a 401. This means that the client has a way of finding out beforehand whether it needs credentials to perform an operation, and the server has the option of saying "no credentials necessary" if it is sure that in fact no credentials are necessary (for example, servers that have no access control at all, if any such exist). I thought it was important to keep this option open, although I suspect that most servers would always want to challenge since they couldn't really be sure. Comments? -ilya
Received on Monday, 16 September 2002 19:34:00 UTC