- From: Ilya Kirnos <ilya.kirnos@oracle.com>
- Date: Tue, 17 Sep 2002 12:20:50 -0700
- To: Stefan Eissing <stefan.eissing@greenbytes.de>
- CC: Webdav WG <w3c-dist-auth@w3c.org>
Stefan Eissing wrote: > Ilya, > > Am Dienstag den, 17. September 2002, um 01:35, schrieb Ilya Kirnos: > > > > > Clients currently have no reliable means of forcing the server to > > authenticate them (they can try to preemptively send credentials, but > > this works only for basic auth, not for digest). This can lead to > > situations where the client finds out that it was required to > > authenticate too late and only after doing lots of work, such as when > > putting a large file only to get a 401 back at the end of the transfer. > > A bad user experience, agreed. > > However it would be more elegant if the client could send > the request without the server executing it and checking thus > the authentication for the specific method call. That would also > give any intermediates, like proxies, a chance to determine if > they need any authorization. > > My idea would be to use the IF header for this purpose. A client > can send a request with an invalid lock token in the IF header. > The server, being DAV-compliant, will never execute the request. > > Now this solution depends on the order of authentication vs. IF > header check. Therefore my proposal depends on > > - does every known server check authentication before lock tokens? > - could 2518bis say something like: "All user authentication SHOULD > take place before other request headers like IF are processed."? > i'm not sure this would work, since DAV servers don't even have to support locking to be compliant. -ilya
Received on Tuesday, 17 September 2002 15:19:12 UTC