Ignore:
Timestamp:
Jul 27, 2011, 6:21:29 AM (8 years ago)
Author:
julian.reschke@…
Message:

Relationship between 401, Authorization and WWW-Authenticate (see #78)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r1357 r1360  
    359359  }
    360360  @bottom-center {
    361        content: "Expires January 27, 2012";
     361       content: "Expires January 28, 2012";
    362362  }
    363363  @bottom-right {
     
    404404      <meta name="dct.creator" content="Reschke, J. F.">
    405405      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
    406       <meta name="dct.issued" scheme="ISO8601" content="2011-07-26">
     406      <meta name="dct.issued" scheme="ISO8601" content="2011-07-27">
    407407      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    408408      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines HTTP Authentication.">
     
    435435            </tr>
    436436            <tr>
    437                <td class="left">Expires: January 27, 2012</td>
     437               <td class="left">Expires: January 28, 2012</td>
    438438               <td class="right">HP</td>
    439439            </tr>
     
    488488            <tr>
    489489               <td class="left"></td>
    490                <td class="right">July 26, 2011</td>
     490               <td class="right">July 27, 2011</td>
    491491            </tr>
    492492         </tbody>
     
    516516         in progress”.
    517517      </p>
    518       <p>This Internet-Draft will expire on January 27, 2012.</p>
     518      <p>This Internet-Draft will expire on January 28, 2012.</p>
    519519      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
    520520      <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
     
    716716      <p id="rfc.section.2.3.1.p.2"> </p>
    717717      <ul>
    718          <li>Authentication schemes need to be compatible with the inherent constraints of HTTP; for instance, that messages need to keep
    719             their semantics when inspected in isolation, thus an authentication scheme can not bind information to the TCP session over
    720             which the message was received (see <a href="p1-messaging.html#message-orientation-and-buffering" title="Message Orientation and Buffering">Section 2.2</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>).
    721          </li>
    722          <li>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition.
    723          </li>
    724          <li>Authentication schemes need to document whether they are usable in origin-server authentication (i.e., using WWW-Authenticate),
    725             and/or proxy authentication (i.e., using Proxy-Authenticate).
     718         <li>
     719            <p>Authentication schemes need to be compatible with the inherent constraints of HTTP; for instance, that messages need to keep
     720               their semantics when inspected in isolation, thus an authentication scheme can not bind information to the TCP session over
     721               which the message was received (see <a href="p1-messaging.html#message-orientation-and-buffering" title="Message Orientation and Buffering">Section 2.2</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>).
     722            </p>
     723         </li>
     724         <li>
     725            <p>The authentication parameter "realm" is reserved for defining Protection Spaces as defined in <a href="#protection.space" title="Protection Space (Realm)">Section&nbsp;2.2</a>. New schemes <em class="bcp14">MUST NOT</em> use it in a way incompatible with that definition.
     726            </p>
     727         </li>
     728         <li>
     729            <p>Authentication schemes need to document whether they are usable in origin-server authentication (i.e., using WWW-Authenticate),
     730               and/or proxy authentication (i.e., using Proxy-Authenticate).
     731            </p>
     732         </li>
     733         <li>
     734            <p>The credentials carried in an Authorization header field are specific to the User Agent, and therefore have the same effect
     735               on HTTP caches as the "private" Cache-Control response directive, within the scope of the request they appear in.
     736            </p>
     737            <p>Therefore, new authentication schemes which choose not to carry credentials in the Authorization header (e.g., using a newly
     738               defined header) will need to explicitly disallow caching, by mandating the use of either Cache-Control request directives
     739               (e.g., "no-store") or response directives (e.g., "private").
     740            </p>
    726741         </li>
    727742      </ul>
     
    795810      <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a>&nbsp;<a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2>
    796811      <p id="rfc.section.4.4.p.1">The "WWW-Authenticate" header field consists of at least one challenge that indicates the authentication scheme(s) and parameters
    797          applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages.
     812         applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>).
     813      </p>
     814      <p id="rfc.section.4.4.p.2">It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages and <em class="bcp14">MAY</em> be included in other response messages to indicate that supplying credentials (or different credentials) might affect the
     815         response.
    798816      </p>
    799817      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.4"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
    800 </pre><p id="rfc.section.4.4.p.3">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
     818</pre><p id="rfc.section.4.4.p.4">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
    801819         challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
    802820         comma-separated list of authentication parameters.
     
    11061124      <p id="rfc.section.C.17.p.1">Closed issues: </p>
    11071125      <ul>
     1126         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/78">http://tools.ietf.org/wg/httpbis/trac/ticket/78</a>&gt;: "Relationship between 401, Authorization and WWW-Authenticate"
     1127         </li>
    11081128         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/177">http://tools.ietf.org/wg/httpbis/trac/ticket/177</a>&gt;: "Realm required on challenges"
    11091129         </li>
Note: See TracChangeset for help on using the changeset viewer.