- From: Lisa Dusseault <lisa@xythos.com>
- Date: Tue, 17 Sep 2002 23:12:04 -0700
- To: "'Jason Crawford'" <nn683849@smallcue.com>
- Cc: "'Ilya Kirnos'" <ilya.kirnos@oracle.com>, "'Julian Reschke'" <julian.reschke@gmx.de>, "'Webdav WG'" <w3c-dist-auth@w3c.org>
> -----Original Message----- > From: Jason Crawford [mailto:nn683849@smallcue.com] > Sent: Tuesday, September 17, 2002 9:34 PM > To: Lisa Dusseault > Cc: 'Ilya Kirnos'; 'Julian Reschke'; 'Webdav WG' > Subject: RE: Interop issue: how can clients force authentication? > > > There may be other methods which an unauthenticated user can receive a > > success response, but which would work even better if the user were > > authenticated. > > Shouldn't the server just ask for authentication for those methods? > Not necessarily; if it's possible for the request to return a success response if the user is unauthenticated, then the server must do so right away or it may never be able to give a success response. If a 401 error is returned the first time a client asks to do one of these methods (like a PROPFIND to a partially-readable collection), how does the server know the client will ever make the same request? Maybe the user doesn't know a username/password and so hits "cancel", and the client doesn't retry. And if the client software retries, again without a username/password, by your logic the server would just respond 401 again. Lisa
Received on Wednesday, 18 September 2002 02:22:01 UTC