- From: Lisa Dusseault <lisa@osafoundation.org>
- Date: Mon, 3 May 2004 11:51:29 -0700
- To: Alexey Melnikov <Alexey.Melnikov@isode.com>, Magnus Nystrom <magnus@rsasecurity.com>
- Cc: Webdav WG <w3c-dist-auth@w3c.org>
I just noticed something else I don't understand in the SASL draft. Can you clarify? Example 6, in section 4.7.6, shows the client attempting to authenticate but without using the CONNECT request. So far so good -- the client doesn't want a SASL layer, the client simply wants to authenticate. The last GET request in the example shows no WWW-Authenticate header, thus no authorization information -- yet the server responds successfully. Shouldn't every request include the WWW-Authenticate header, until the point where the client decides to "log out"? This problem wouldn't exist if the 235 error was removed and if SASL worked like Digest/Basic -- the 2nd GET request would clearly contain the authentication, and the response would be 200 OK. Lisa
Received on Monday, 3 May 2004 15:24:12 UTC