- From: Dyer, Kevin <kevin.dyer@matrixone.com>
- Date: Wed, 18 Sep 2002 12:50:54 -0400
- To: "'Lisa Dusseault '" <lisa@xythos.com>, "''Stefan Eissing' '" <stefan.eissing@greenbytes.de>
- Cc: "'Webdav WG '" <w3c-dist-auth@w3c.org>
- Message-ID: <9150DCE0CCB4D411A7DB00508BB0DBF202E5C8D2@msx1am.matrixone.net>
I believe that Stefan was implying for a server to validate through the ACLs that a resource is protected and that a user has not been authenticated. If both are true then a server would not give out such information because to some people even the names of the files are competition sensitive. If the ACLs indicate that a resource is unprotected then it would not matter if the client has provided authentication credentials or not. That said, there is nothing in RFC2518 that states a client and server can not communicate through an out of band communication path, say LDAP or application registry, to initialize the client. This would allow a client to be able to ask up front for authentication credentials. -----Original Message----- From: Lisa Dusseault To: 'Stefan Eissing' Cc: Webdav WG Sent: 9/18/02 12:29 PM Subject: RE: Interop issue: how can clients force authentication? > First, I bet that 100% of all non-broken, existing servers do > authentication checks before looking at the request resource and > its properities like locks. It's the sensible thing to do, as a > user might not even have read permission on the resource. So > one probably should prevent him/her from finding out about the lock > status of the resource. No, and why should they? There's nothing in RFC2518 that requires servers to support locks only for authenticated users. If a resource is publicly writable, there may be nothing to prevent unauthenticated users from taking out locks and using lock tokens. Recall that the If header can also be used with ETags, which are not at all associated with how a user is authenticated. Also, recall that in order to "do authentication checks", the server must respond to the client with a 401 with the WWW-Authenticate header, then the client must make another request. Of course if the client sent its authentication information on the first request, the server is likely to check it. However, the client can't even send its authentication information if it doesn't yet know whether the server supports digest or basic, or what realm, nonce, etc. That's why Ilya wants to be able to ask the server to reply with a WWW-Authenticate header. Lisa
Received on Wednesday, 18 September 2002 12:51:37 UTC