Ignore:
Timestamp:
Jul 27, 2011, 6:21:29 AM (8 years ago)
Author:
julian.reschke@…
Message:

Relationship between 401, Authorization and WWW-Authenticate (see #78)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1357 r1360  
    450450<t>
    451451  <list style="symbols">
     452    <x:lt>
    452453    <t>
    453454      Authentication schemes need to be compatible with the inherent
     
    457458      was received (see &msg-orient-and-buffering;).
    458459    </t>
     460    </x:lt>
     461    <x:lt>
    459462    <t>
    460463      The authentication parameter "realm" is reserved for defining Protection
     
    462465      &MUST-NOT; use it in a way incompatible with that definition.
    463466    </t>
     467    </x:lt>
     468    <x:lt>
    464469    <t>
    465470      Authentication schemes need to document whether they are usable in
    466471      origin-server authentication (i.e., using WWW-Authenticate), and/or
    467472      proxy authentication (i.e., using Proxy-Authenticate).
    468     </t>   
    469     <!-- note about Authorization header -->
     473    </t>
     474    </x:lt>
     475    <x:lt>
     476    <t>
     477      The credentials carried in an Authorization header field are specific to
     478      the User Agent, and therefore have the same effect on HTTP caches as the
     479      "private" Cache-Control response directive, within the scope of the
     480      request they appear in.
     481    </t>
     482    <t>
     483      Therefore, new authentication schemes which choose not to carry
     484      credentials in the Authorization header (e.g., using a newly defined
     485      header) will need to explicitly disallow caching, by mandating the use of
     486      either Cache-Control request directives (e.g., "no-store") or response
     487      directives (e.g., "private").
     488    </t>
     489    </x:lt>
    470490  </list>
    471491</t>
     
    623643   The "WWW-Authenticate" header field consists of at least one
    624644   challenge that indicates the authentication scheme(s) and parameters
    625    applicable to the effective request URI (&effective-request-uri;). It &MUST; be included in 401
    626    (Unauthorized) response messages.
     645   applicable to the effective request URI (&effective-request-uri;).
     646</t>
     647<t>   
     648   It &MUST; be included in 401 (Unauthorized) response messages and &MAY; be
     649   included in other response messages to indicate that supplying credentials
     650   (or different credentials) might affect the response.
    627651</t>
    628652<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="WWW-Authenticate"/>
     
    12561280  <list style="symbols">
    12571281    <t>
     1282      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/78"/>:
     1283      "Relationship between 401, Authorization and WWW-Authenticate"
     1284    </t>
     1285    <t>
    12581286      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/177"/>:
    12591287      "Realm required on challenges"
Note: See TracChangeset for help on using the changeset viewer.