Ticket #78: 78.diff

File 78.diff, 3.0 KB (added by julian.reschke@…, 8 years ago)
  • p7-auth.xml

    451451  <list style="symbols">
     452    <x:lt>
    452453    <t>
    453454      Authentication schemes need to be compatible with the inherent
    454455      constraints of HTTP; for instance, that messages need to keep their
    456457      can not bind information to the TCP session over which the message
    457458      was received (see &msg-orient-and-buffering;).
    458459    </t>
     460    </x:lt>
     461    <x:lt>
    459462    <t>
    460463      The authentication parameter "realm" is reserved for defining Protection
    461464      Spaces as defined in <xref target="protection.space"/>. New schemes
    462465      &MUST-NOT; use it in a way incompatible with that definition.
    463466    </t>
     467    </x:lt>
     468    <x:lt>
    464469    <t>
    465470      Authentication schemes need to document whether they are usable in
    466471      origin-server authentication (i.e., using WWW-Authenticate), and/or
    467472      proxy authentication (i.e., using Proxy-Authenticate).
    468     </t>   
    469     <!-- note about Authorization header -->
     473    </t>
     474    </x:lt>
     475    <x:lt>
     476    <t>
     477      The credentials carried in an Authorization header field are specific to
     478      the User Agent, and therefore have the same effect on HTTP caches as the
     479      "private" Cache-Control response directive, within the scope of the
     480      request they appear in.
     481    </t>
     482    <t>
     483      Therefore, new authentication schemes which choose not to carry
     484      credentials in the Authorization header (e.g., using a newly defined
     485      header) will need to explicitly disallow caching, by mandating the use of
     486      either Cache-Control request directives (e.g., "no-store") or response
     487      directives (e.g., "private").
     488    </t>
     489    </x:lt>
    470490  </list>
    623643   The "WWW-Authenticate" header field consists of at least one
    624644   challenge that indicates the authentication scheme(s) and parameters
    625    applicable to the effective request URI (&effective-request-uri;). It &MUST; be included in 401
    626    (Unauthorized) response messages.
     645   applicable to the effective request URI (&effective-request-uri;).
     648   It &MUST; be included in 401 (Unauthorized) response messages and &MAY; be
     649   included in other response messages to indicate that supplying credentials
     650   (or different credentials) might affect the response.
    628652<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="WWW-Authenticate"/>
    629653  <x:ref>WWW-Authenticate</x:ref> = 1#<x:ref>challenge</x:ref>
    12551279  Closed issues:
    12561280  <list style="symbols">
    12571281    <t>
     1282      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/78"/>:
     1283      "Relationship between 401, Authorization and WWW-Authenticate"
     1284    </t>
     1285    <t>
    12581286      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/177"/>:
    12591287      "Realm required on challenges"
    12601288    </t>