Re: #78: Relationship between 401, Authorization and WWW-Authenticate

Adrien de Croy <adrien@qbik.com> Mon, 25 July 2011 01:31 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBE3A21F86DF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 18:31:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eRzUioiQLji0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 24 Jul 2011 18:31:02 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 60C1D21F8681 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 24 Jul 2011 18:31:02 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ql9zw-00012N-RO for ietf-http-wg-dist@listhub.w3.org; Mon, 25 Jul 2011 01:30:20 +0000
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <adrien@qbik.com>) id 1Ql9zf-00087e-Ej for ietf-http-wg@listhub.w3.org; Mon, 25 Jul 2011 01:30:03 +0000
Received: from smtp.qbik.com ([210.55.214.35]) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <adrien@qbik.com>) id 1Ql9zc-0005oe-Nn for ietf-http-wg@w3.org; Mon, 25 Jul 2011 01:30:03 +0000
Received: From [192.168.0.10] (unverified [192.168.0.10]) by SMTP Server [192.168.0.1] (WinGate SMTP Receiver v7.0.0 (Build 3259)) with SMTP id <0018406045@smtp.qbik.com>; Mon, 25 Jul 2011 01:29:30 +1200
Message-ID: <4E2CC6FA.3020207@qbik.com>
Date: Mon, 25 Jul 2011 13:29:30 +1200
From: Adrien de Croy <adrien@qbik.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110620 Thunderbird/5.0b2
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
CC: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>
References: <798C1D1A-C0C7-40DD-8993-31DB735A4961@mnot.net> <20110724181138.GW22405@1wt.eu> <CFBF6FC4-5E17-40A5-A10F-FDCB8B053BAF@mnot.net>
In-Reply-To: <CFBF6FC4-5E17-40A5-A10F-FDCB8B053BAF@mnot.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=210.55.214.35; envelope-from=adrien@qbik.com; helo=smtp.qbik.com
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RP_MATCHES_RCVD=-1.193, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1Ql9zc-0005oe-Nn 6f63cddf3f64b3ffb4f1f27982868bfe
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #78: Relationship between 401, Authorization and WWW-Authenticate
Archived-At: <http://www.w3.org/mid/4E2CC6FA.3020207@qbik.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/11063
X-Loop: ietf-http-wg@w3.org
Sender: ietf-http-wg-request@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Ql9zw-00012N-RO@frink.w3.org>
Resent-Date: Mon, 25 Jul 2011 01:30:20 +0000

On 25/07/2011 6:31 a.m., Mark Nottingham wrote:
> On 24/07/2011, at 2:11 PM, Willy Tarreau wrote:
>
>> On Sun, Jul 24, 2011 at 02:06:17PM -0400, Mark Nottingham wrote:
>>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/78>
>>>
>>> Proposal:
>>>
>>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
>> Does this mean it's only for other 4xx or for any status ? It might have
>> implications with non-idempotent requests if a client can repost a request
>> that led to a 200 for instance.
> Any status. Good point about non-idempotent requests; we'll need to make clear it's not about automatically retrying requests, but instead that sending the same request with credentials might have a different affect.

isn't this redundant?

I see requests with credentials all the time, when no previous 
WWW-Authorize had been sent in any response.

So clients are already taking any liberties they like to send 
credentials when they please.  I don't know that it adds anything to 
HTTP to explicitly tell them they may do this in protocol.  They are 
doing it anyway.

Otherwise are we going to prohibit the sending of creds when no 
WWW-Authorize had been sent?

Adrien
-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
WinGate 7 beta out now - http://www.wingate.com/getlatest/