Re: Interop issue: how can clients force authentication?

Stefan Eissing wrote:

> Ilya,
>
> Am Dienstag den, 17. September 2002, um 01:35, schrieb Ilya Kirnos:
>
> >
> > Clients currently have no reliable means of forcing the server to
> > authenticate them (they can try to preemptively send credentials, but
> > this works only for basic auth, not for digest).  This can lead to
> > situations where the client finds out that it was required to
> > authenticate too late and only after doing lots of work, such as when
> > putting a large file only to get a 401 back at the end of the transfer.
>
> A bad user experience, agreed.
>
> However it would be more elegant if the client could send
> the request without the server executing it and checking thus
> the authentication for the specific method call. That would also
> give any intermediates, like proxies, a chance to determine if
> they need any authorization.
>
> My idea would be to use the IF header for this purpose. A client
> can send a request with an invalid lock token in the IF header.
> The server, being DAV-compliant, will never execute the request.
>
> Now this solution depends on the order of authentication vs. IF
> header check. Therefore my proposal depends on
>
> - does every known server check authentication before lock tokens?
> - could 2518bis say something like: "All user authentication SHOULD
>    take place before other request headers like IF are processed."?
>

i'm not sure this would work, since DAV servers don't even have to support
locking to be compliant.

-ilya

Received on Tuesday, 17 September 2002 15:19:12 UTC