Changeset 1478 for draft-ietf-httpbis/latest/p7-auth.html

Timestamp:

25/11/11 15:53:44 (11 years ago)

Author:

julian.reschke@…

Message:

realm: move quoted-string requirement into prose and add a note that in practice recipients may have to support both (see #314)

File:

• draft-ietf-httpbis/latest/p7-auth.html (modified) (18 diffs)

draft-ietf-httpbis/latest/p7-auth.html

@@ -359 +359 @@
   } 
   @bottom-center {
-       content: "Expires May 17, 2012"; 
+       content: "Expires May 28, 2012"; 
   } 
   @bottom-right {
@@ -405 +405 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2011-11-14">
+      <meta name="dct.issued" scheme="ISO8601" content="2011-11-25">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework.">
@@ -436 +436 @@
             </tr>
             <tr>
-               <td class="left">Expires: May 17, 2012</td>
+               <td class="left">Expires: May 28, 2012</td>
                <td class="right">HP</td>
             </tr>
@@ -489 +489 @@
             <tr>
                <td class="left"></td>
-               <td class="right">November 14, 2011</td>
+               <td class="right">November 25, 2011</td>
             </tr>
          </tbody>
@@ -517 +517 @@
          in progress”.
       </p>
-      <p>This Internet-Draft will expire on May 17, 2012.</p>
+      <p>This Internet-Draft will expire on May 28, 2012.</p>
       <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1>
       <p>Copyright © 2011 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
@@ -705 +705 @@
       <div id="rfc.iref.r.1"></div>
       <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="protection.space" href="#protection.space">Protection Space (Realm)</a></h2>
-      <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection:</p>
-      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.r.2"></span><span id="rfc.iref.r.3"></span><span id="rfc.iref.g.6"></span>  realm       = "realm" <a href="#core.rules" class="smpl">BWS</a> "=" <a href="#core.rules" class="smpl">BWS</a> realm-value
-  realm-value = quoted-string
-</pre><p id="rfc.section.2.2.p.3">A <dfn>protection space</dfn> is defined by the canonical root URI (the scheme and authority components of the effective request URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources
+      <p id="rfc.section.2.2.p.1">The authentication parameter realm is reserved for use by authentication schemes that wish to indicate the scope of protection.</p>
+      <p id="rfc.section.2.2.p.2">A <dfn>protection space</dfn> is defined by the canonical root URI (the scheme and authority components of the effective request URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>) of the server being accessed, in combination with the realm value if present. These realms allow the protected resources
          on a server to be partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization
          database. The realm value is a string, generally assigned by the origin server, which can have additional semantics specific
          to the authentication scheme. Note that there can be multiple challenges with the same auth-scheme but different realms.
       </p>
-      <p id="rfc.section.2.2.p.4">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been
+      <p id="rfc.section.2.2.p.3">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been
          authorized, the same credentials <em class="bcp14">MAY</em> be reused for all other requests within that protection space for a period of time determined by the authentication scheme,
          parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot
          extend outside the scope of its server.
+      </p>
+      <p id="rfc.section.2.2.p.4">For historical reasons, senders <em class="bcp14">MUST</em> only use the quoted-string syntax. Recipients might have to support both token and quoted-string syntax for maximum interoperability
+         with existing clients that have been accepting both notations for a long time.
       </p>
       <h2 id="rfc.section.2.3"><a href="#rfc.section.2.3">2.3</a>&nbsp;<a id="authentication.scheme.registry" href="#authentication.scheme.registry">Authentication Scheme Registry</a></h2>
@@ -779 +780 @@
       </ul>
       <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1>
-      <div id="rfc.iref.15"></div>
+      <div id="rfc.iref.12"></div>
       <div id="rfc.iref.s.1"></div>
       <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2>
@@ -787 +788 @@
          information.
       </p>
-      <div id="rfc.iref.16"></div>
+      <div id="rfc.iref.13"></div>
       <div id="rfc.iref.s.2"></div>
       <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2>
@@ -802 +803 @@
          for the realm of the resource being requested.
       </p>
-      <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.authorization" class="smpl">Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a>
+      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.6"></span>  <a href="#header.authorization" class="smpl">Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a>
 </pre><p id="rfc.section.4.1.p.3">If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise,
          such as credentials that vary according to a challenge value or using synchronized clocks).
@@ -825 +826 @@
          to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.10"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response.
       </p>
-      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
+      <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.7"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
 </pre><p id="rfc.section.4.2.p.3">Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting
          them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate
@@ -837 +838 @@
          the resource being requested.
       </p>
-      <div id="rfc.figure.u.8"></div><pre class="inline"><span id="rfc.iref.g.9"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a>
+      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a> = <a href="#challenge.and.response" class="smpl">credentials</a>
 </pre><p id="rfc.section.4.3.p.3">Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication
          using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed
@@ -852 +853 @@
          response.
       </p>
-      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.10"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
+      <div id="rfc.figure.u.8"></div><pre class="inline"><span id="rfc.iref.g.9"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a> = 1#<a href="#challenge.and.response" class="smpl">challenge</a>
 </pre><p id="rfc.section.4.4.p.4">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one
          challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a
          comma-separated list of authentication parameters.
       </p>
-      <div id="rfc.figure.u.10"></div> 
+      <div id="rfc.figure.u.9"></div> 
       <p>For instance:</p>  <pre class="text">  WWW-Authenticate: Newauth realm="apps", type=1,
                     title="Login to \"apps\"", Basic realm="simple"
@@ -1063 +1064 @@
       </p>
       <h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a>&nbsp;<a id="collected.abnf" href="#collected.abnf">Collected ABNF</a></h1>
-      <div id="rfc.figure.u.11"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
+      <div id="rfc.figure.u.10"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = credentials
 
 <a href="#core.rules" class="smpl">BWS</a> = &lt;BWS, defined in [Part1], Section 1.2.2&gt;
@@ -1089 +1090 @@
 <a href="#core.rules" class="smpl">quoted-string</a> = &lt;quoted-string, defined in [Part1], Section 3.2.3&gt;
 
-realm = "realm" BWS "=" BWS realm-value
-realm-value = quoted-string
-
 <a href="#core.rules" class="smpl">token</a> = &lt;token, defined in [Part1], Section 3.2.3&gt;
-</pre> <div id="rfc.figure.u.12"></div>
+</pre> <div id="rfc.figure.u.11"></div>
       <p>ABNF diagnostics:</p><pre class="inline">; Authorization defined but not used
 ; Proxy-Authenticate defined but not used
 ; Proxy-Authorization defined but not used
 ; WWW-Authenticate defined but not used
-; realm defined but not used
 </pre><h1 id="rfc.section.C"><a href="#rfc.section.C">C.</a>&nbsp;<a id="change.log" href="#change.log">Change Log (to be removed by RFC Editor before publication)</a></h1>
       <h2 id="rfc.section.C.1"><a href="#rfc.section.C.1">C.1</a>&nbsp;Since RFC 2616
@@ -1213 +1210 @@
       <p id="rfc.section.C.19.p.1">Closed issues: </p>
       <ul>
+         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/314">http://tools.ietf.org/wg/httpbis/trac/ticket/314</a>&gt;: "allow unquoted realm parameters"
+         </li>
          <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/321">http://tools.ietf.org/wg/httpbis/trac/ticket/321</a>&gt;: "Repeating auth-params"
          </li>
@@ -1222 +1221 @@
          <ul class="ind">
             <li><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul>
-                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.15"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
-                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.16"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
+                  <li>401 Unauthorized (status code)&nbsp;&nbsp;<a href="#rfc.iref.12"><b>3.1</b></a>, <a href="#rfc.xref.status.401.1">5.2</a></li>
+                  <li>407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a href="#rfc.iref.13"><b>3.2</b></a>, <a href="#rfc.xref.status.407.1">5.2</a></li>
                </ul>
             </li>
@@ -1246 +1245 @@
                         <li><tt>auth-param</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.2"><b>2.1</b></a></li>
                         <li><tt>auth-scheme</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.1"><b>2.1</b></a></li>
-                        <li><tt>Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.7"><b>4.1</b></a></li>
+                        <li><tt>Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.6"><b>4.1</b></a></li>
                         <li><tt>b64token</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.3"><b>2.1</b></a></li>
                         <li><tt>challenge</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.4"><b>2.1</b></a></li>
                         <li><tt>credentials</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.5"><b>2.1</b></a></li>
-                        <li><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.8"><b>4.2</b></a></li>
-                        <li><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.9"><b>4.3</b></a></li>
-                        <li><tt>realm</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.6"><b>2.2</b></a></li>
-                        <li><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.10"><b>4.4</b></a></li>
+                        <li><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.7"><b>4.2</b></a></li>
+                        <li><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.8"><b>4.3</b></a></li>
+                        <li><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a href="#rfc.iref.g.9"><b>4.4</b></a></li>
                      </ul>
                   </li>
@@ -1291 +1289 @@
             <li><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul>
                   <li>Realm&nbsp;&nbsp;<a href="#rfc.iref.r.1">2.2</a></li>
-                  <li><tt>realm</tt>&nbsp;&nbsp;<a href="#rfc.iref.r.2"><b>2.2</b></a></li>
-                  <li><tt>realm-value</tt>&nbsp;&nbsp;<a href="#rfc.iref.r.3"><b>2.2</b></a></li>
                   <li><em>RFC2119</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC2119.1">1.1</a>, <a href="#RFC2119"><b>8.1</b></a></li>
                   <li><em>RFC2616</em>&nbsp;&nbsp;<a href="#rfc.xref.RFC2616.1">1</a>, <a href="#RFC2616"><b>8.2</b></a>, <a href="#rfc.xref.RFC2616.2">C.1</a></li>