W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > July to September 2002

Re: Interop issue: how can clients force authentication?

From: Ilya Kirnos <ilya.kirnos@oracle.com>
Date: Tue, 17 Sep 2002 12:20:50 -0700
Message-ID: <3D878092.92497362@oracle.com>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Webdav WG <w3c-dist-auth@w3c.org>

Stefan Eissing wrote:

> Ilya,
> Am Dienstag den, 17. September 2002, um 01:35, schrieb Ilya Kirnos:
> >
> > Clients currently have no reliable means of forcing the server to
> > authenticate them (they can try to preemptively send credentials, but
> > this works only for basic auth, not for digest).  This can lead to
> > situations where the client finds out that it was required to
> > authenticate too late and only after doing lots of work, such as when
> > putting a large file only to get a 401 back at the end of the transfer.
> A bad user experience, agreed.
> However it would be more elegant if the client could send
> the request without the server executing it and checking thus
> the authentication for the specific method call. That would also
> give any intermediates, like proxies, a chance to determine if
> they need any authorization.
> My idea would be to use the IF header for this purpose. A client
> can send a request with an invalid lock token in the IF header.
> The server, being DAV-compliant, will never execute the request.
> Now this solution depends on the order of authentication vs. IF
> header check. Therefore my proposal depends on
> - does every known server check authentication before lock tokens?
> - could 2518bis say something like: "All user authentication SHOULD
>    take place before other request headers like IF are processed."?

i'm not sure this would work, since DAV servers don't even have to support
locking to be compliant.

Received on Tuesday, 17 September 2002 15:19:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:26 UTC