- From: Geoffrey M Clemm <geoffrey.clemm@us.ibm.com>
- Date: Sat, 29 Oct 2005 08:45:42 -0400
- To: " webdav" <w3c-dist-auth@w3.org>
- Message-ID: <OF69B23A75.4B5E4716-ON852570A9.00456790-852570A9.00461C9B@us.ibm.com>
I agree that LOCK is the real answer here for WebDAV clients. But for the "force-authenticate" advocates (which Julian is not): If we are contrasting "Expect 100-Continue" vs. "force-authenticate", I think it would make more sense to advise servers to implement Expect correctly rather than to introduce a new force-authenticate header. In particular, why would one believe that a server that doesn't implement Expect properly would implement force-authenticate properly (or at all). Cheers, Geoff Julian wrote on 10/29/2005 04:20:45 AM: > > Geoffrey M Clemm wrote: > > > > To avoid sending the PUT body twice, why can't a client just > > use the standard HTTP "Expect 100-Continue" header? > > It could, but it's a known problem that few servers implement that > correctly, meaning that the expected header check is indeed skipped (for > instance, a server using the servlet API normally doesn't have any > chance doing this check, see > <http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4812000>). > > > And if a client is proactively checking for authentication preceding > > a series of PUT calls, then having it just perform an initial LOCK/UNLOCK > > to get the credential challenge doesn't seem like an unreasonable overhead > > (2 initial requests). > > > > So is this just a technique for servers that want to provide this > > capability but don't want to support LOCK? > > Seems so, because LOCK seems to be yet another existing way to get what > those clients want. > > Best regards, Julian >
Received on Saturday, 29 October 2005 12:45:46 UTC