- From: Joe Feise <jfeise@ics.uci.edu>
- Date: Fri, 30 Jun 2006 07:30:04 -0700
- To: Michael Wechner <michael.wechner@wyona.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, w3c-dist-auth@w3.org
Michael Wechner wrote on 06/30/06 06:55: > > right, this might makes sense for formats. But I would argue with > another usecase, namely Custom Authentication > instead of HTTP authentication (BASIC or DIGEST). > > Let's assume a resource is protected and a server would like to offer > custom authentication, e.g. it would send > a HTML to a regular browser and some WebDAV specific XML to a WebDAV > enabled client, whereas I haven't digged into > WebDAV far enough how something like this could be handled by the WebDAV > spec. Authentication is independent of the response body. It is all done in the HTTP headers. Nothing prevents a client to send an Authorization header without receiving a 401 response beforehand (RFC 2616, section 14.8.) And servers are free to send multiple WWW-Authenticate headers, for each one of the authentication schemes they support (for example, IIS can indicate support for the custom NTLM authentication.) So, I still fail to see what the problem is. -Joe
Received on Friday, 30 June 2006 14:30:43 UTC