- From: Roy T. Fielding <fielding@apache.org>
- Date: Mon, 16 Sep 2002 17:36:40 -0700
- To: Ilya Kirnos <ilya.kirnos@oracle.com>
- Cc: Webdav WG <w3c-dist-auth@w3c.org>
Authorization is granted/denied based on the method of the request. There might even be different challenges per method. In other words, this idea won't work for HTTP. The original idea of OPTIONS was that, if the client wished to test the options for a specific request, then it would include that request's request-line and headers in the body of the OPTIONS request. The server would then look at the body to determine what the options would be and report that back to the client. However, since the WG did not want to define the format of such a response, the feature got dropped. The alternative was to simply issue the request with Expect: 100-continue. I don't know if that is sufficient for your problem, but I do know that using a T/F request header field on OPTIONS is not. A minimum would be to list the methods in that field instead. I also suggest finding a less verbose field name. ....Roy
Received on Monday, 16 September 2002 20:36:52 UTC