Changeset 1356 for draft-ietf-httpbis/latest
- Timestamp:
- Jul 26, 2011, 9:00:04 AM (8 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p7-auth.html
r1354 r1356 545 545 <li>2.1 <a href="#challenge.and.response">Challenge and Response</a></li> 546 546 <li>2.2 <a href="#protection.space">Protection Space (Realm)</a></li> 547 <li>2.3 <a href="#authentication.scheme.registry">Authentication Scheme Registry</a></li> 547 <li>2.3 <a href="#authentication.scheme.registry">Authentication Scheme Registry</a><ul> 548 <li>2.3.1 <a href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></li> 549 </ul> 550 </li> 548 551 </ul> 549 552 </li> … … 707 710 <p id="rfc.section.2.3.p.4">The registry itself is maintained at <<a href="http://www.iana.org/assignments/http-authschemes">http://www.iana.org/assignments/http-authschemes</a>>. 708 711 </p> 712 <h3 id="rfc.section.2.3.1"><a href="#rfc.section.2.3.1">2.3.1</a> <a id="considerations.for.new.authentication.schemes" href="#considerations.for.new.authentication.schemes">Considerations for New Authentication Schemes</a></h3> 713 <p id="rfc.section.2.3.1.p.1">There are certain aspects of the HTTP Authentication Framework that put constraints on how new authentication schemes can 714 work: 715 </p> 716 <p id="rfc.section.2.3.1.p.2"> </p> 717 <ul> 718 <li>Authentication schemes need to be compatible with the inherent constraints of HTTP; for instance, that messages need to keep 719 their semantics when inspected in isolation, thus an authentication scheme can not bind information to the TCP session over 720 which the message was received (see <a href="p1-messaging.html#message-orientation-and-buffering" title="Message Orientation and Buffering">Section 2.2</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). 721 </li> 722 <li>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section 2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition. 723 </li> 724 <li>Authentication schemes need to document whther they are usable in origin-server authentication (i.e., using WWW-Authenticate), 725 and/or proxy authentication (i.e., using Proxy-Authenticate). 726 </li> 727 </ul> 709 728 <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a> <a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 710 729 <div id="rfc.iref.8"></div> … … 752 771 <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a> <a id="header.proxy-authenticate" href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> 753 772 <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" header field consists of a challenge that indicates the authentication scheme and parameters applicable 754 to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1. 7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response.773 to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 755 774 </p> 756 775 <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.2"></span> <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> … … 776 795 <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a> <a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2> 777 796 <p id="rfc.section.4.4.p.1">The "WWW-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters 778 applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1. 8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages.797 applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. 779 798 </p> 780 799 <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.4"></span> <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a> … … 1089 1108 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/177">http://tools.ietf.org/wg/httpbis/trac/ticket/177</a>>: "Realm required on challenges" 1090 1109 </li> 1110 <li> <<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/257">http://tools.ietf.org/wg/httpbis/trac/ticket/257</a>>: "Considerations for new authentications schemes" 1111 </li> 1091 1112 </ul> 1092 1113 <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1> … … 1134 1155 </li> 1135 1156 <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul> 1136 <li><em>Part1</em> <a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7"> 4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul>1157 <li><em>Part1</em> <a href="#rfc.xref.Part1.1">1.2</a>, <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a>, <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">2.3.1</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a>, <a href="#Part1"><b>8.1</b></a><ul> 1137 1158 <li><em>Section 1.2</em> <a href="#rfc.xref.Part1.1">1.2</a></li> 1138 1159 <li><em>Section 1.2.2</em> <a href="#rfc.xref.Part1.2">1.2.1</a>, <a href="#rfc.xref.Part1.3">1.2.1</a>, <a href="#rfc.xref.Part1.4">1.2.1</a>, <a href="#rfc.xref.Part1.5">1.2.1</a></li> 1139 <li><em>Section 4.3</em> <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.7">4.2</a>, <a href="#rfc.xref.Part1.8">4.4</a></li> 1160 <li><em>Section 2.2</em> <a href="#rfc.xref.Part1.7">2.3.1</a></li> 1161 <li><em>Section 4.3</em> <a href="#rfc.xref.Part1.6">2.2</a>, <a href="#rfc.xref.Part1.8">4.2</a>, <a href="#rfc.xref.Part1.9">4.4</a></li> 1140 1162 </ul> 1141 1163 </li> -
draft-ietf-httpbis/latest/p7-auth.xml
r1354 r1356 20 20 <!ENTITY basic-rules "<xref target='Part1' x:rel='#basic.rules' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 21 21 <!ENTITY effective-request-uri "<xref target='Part1' x:rel='#effective.request.uri' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 22 <!ENTITY msg-orient-and-buffering "<xref target='Part1' x:rel='#message-orientation-and-buffering' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 22 23 <!ENTITY end-to-end.and-hop-by-hop "<xref target='Part1' x:rel='#end-to-end.and.hop-by-hop.header-fields' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 23 24 <!ENTITY shared-and-non-shared-caches "<xref target='Part6' x:rel='#shared.and.non-shared.caches' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> … … 441 442 The registry itself is maintained at <eref target="http://www.iana.org/assignments/http-authschemes"/>. 442 443 </t> 444 445 <section title="Considerations for New Authentication Schemes" anchor="considerations.for.new.authentication.schemes"> 446 <t> 447 There are certain aspects of the HTTP Authentication Framework that put 448 constraints on how new authentication schemes can work: 449 </t> 450 <t> 451 <list style="symbols"> 452 <t> 453 Authentication schemes need to be compatible with the inherent 454 constraints of HTTP; for instance, that messages need to keep their 455 semantics when inspected in isolation, thus an authentication scheme 456 can not bind information to the TCP session over which the message 457 was received (see &msg-orient-and-buffering;). 458 </t> 459 <t> 460 The authentication parameter "realm" is reserved for defining Protection 461 Spaces as defined in <xref target="protection.space"/>. New schemes 462 &MUST-NOT; use it in a way incompatible with that definition. 463 </t> 464 <t> 465 Authentication schemes need to document whther they are usable in 466 origin-server authentication (i.e., using WWW-Authenticate), and/or 467 proxy authentication (i.e., using Proxy-Authenticate). 468 </t> 469 <!-- note about Authorization header --> 470 </list> 471 </t> 472 </section> 473 443 474 </section> 444 475 … … 1228 1259 "Realm required on challenges" 1229 1260 </t> 1261 <t> 1262 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/257"/>: 1263 "Considerations for new authentications schemes" 1264 </t> 1230 1265 </list> 1231 1266 </t>
Note: See TracChangeset
for help on using the changeset viewer.