Changeset 1018

Timestamp:

22/09/10 15:03:45 (13 years ago)

Author:

julian.reschke@…

Message:

move and rephrase Note about listing well-known schemes first in WWW-Authenticate (see #237)

Location:

draft-ietf-httpbis/latest

Files:

• p7-auth.html (modified) (7 diffs)
• p7-auth.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -397 +397 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2010-09-14">
+      <meta name="dct.issued" scheme="ISO8601" content="2010-09-22">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines HTTP Authentication.">
@@ -428 +428 @@
             </tr>
             <tr>
-               <td class="left">Expires: March 18, 2011</td>
+               <td class="left">Expires: March 26, 2011</td>
                <td class="right">HP</td>
             </tr>
@@ -481 +481 @@
             <tr>
                <td class="left"></td>
-               <td class="right">September 14, 2010</td>
+               <td class="right">September 22, 2010</td>
             </tr>
          </tbody>
@@ -507 +507 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on March 18, 2011.</p>
+      <p>This Internet-Draft will expire on March 26, 2011.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2010 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -628 +628 @@
          </p> 
       </div>
-      <p id="rfc.section.2.p.6">The authentication parameter realm is defined for all authentication schemes:</p>
+      <div class="note" id="rfc.section.2.p.6"> 
+         <p> <b>Note:</b> Many browsers fail to parse challenges containing unknown schemes. A workaround for this problem is to list well-supported
+            schemes (such as "basic") first.
+         </p> 
+      </div>
+      <p id="rfc.section.2.p.7">The authentication parameter realm is defined for all authentication schemes:</p>
       <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.r.1"></span><span id="rfc.iref.r.2"></span>  realm       = "realm" "=" realm-value
   realm-value = quoted-string
-</pre><p id="rfc.section.2.p.8">The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value
+</pre><p id="rfc.section.2.p.9">The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value
          (case-sensitive), in combination with the canonical root URI (the scheme and authority components of the effective request
          URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>) of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be
@@ -638 +643 @@
          scheme. Note that there can be multiple challenges with the same auth-scheme but different realms.
       </p>
-      <p id="rfc.section.2.p.9">A user agent that wishes to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401
+      <p id="rfc.section.2.p.10">A user agent that wishes to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401
          (Unauthorized) -- <em class="bcp14">MAY</em> do so by including an Authorization header field with the request. A client that wishes to authenticate itself with a proxy
          -- usually, but not necessarily, after receiving a 407 (Proxy Authentication Required) -- <em class="bcp14">MAY</em> do so by including a Proxy-Authorization header field with the request. Both the Authorization field value and the Proxy-Authorization
@@ -648 +653 @@
                             / <a href="#core.rules" class="smpl">quoted-string</a>
                             / #<a href="#access.authentication.framework" class="smpl">auth-param</a> )
-</pre><div class="note" id="rfc.section.2.p.11"> 
-         <p> <b>Note:</b> many browsers will only recognize Basic and will require that it be the first auth-scheme presented. Servers should only include
-            Basic if it is minimally acceptable.<span class="comment" id="rfc.comment.1">[<a href="#rfc.comment.1" class="smpl">rfc.comment.1</a>: Either rephrase and add reference or drop.]</span> 
-         </p> 
-      </div>
-      <p id="rfc.section.2.p.12">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been
+</pre><p id="rfc.section.2.p.12">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been
          authorized, the same credentials <em class="bcp14">MAY</em> be reused for all other requests within that protection space for a period of time determined by the authentication scheme,
          parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot

draft-ietf-httpbis/latest/p7-auth.xml

@@ -321 +321 @@
   </t>
 </x:note>
+<x:note>
+  <t>
+      <x:h>Note:</x:h> Many browsers fail to parse challenges containing unknown
+      schemes. A workaround for this problem is to list well-supported schemes
+      (such as "basic") first.
+  </t>
+</x:note>
 <t>
    The authentication parameter realm is defined for all authentication
@@ -363 +370 @@
                             / #<x:ref>auth-param</x:ref> )
 </artwork></figure>
-<x:note>
-  <t>
-      <x:h>Note:</x:h> many browsers will only recognize Basic and will require
-      that it be the first auth-scheme presented. Servers should only
-      include Basic if it is minimally acceptable.<cref>Either rephrase and add reference or drop.</cref>
-  </t>
-</x:note>
 <t>
    The protection space determines the domain over which credentials can