* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #357: 357.diff

File 357.diff, 2.4 KB (added by julian.reschke@gmx.de, 3 years ago)

Proposed patch

  • p7-auth.xml

     
    311311  <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> [ 1*<x:ref>SP</x:ref> ( <x:ref>b64token</x:ref> / #<x:ref>auth-param</x:ref> ) ] 
    312312</artwork></figure> 
    313313<t> 
    314    If the origin server does not wish to accept the credentials sent 
    315    with a request, it &SHOULD; return a 401 (Unauthorized) response. The 
    316    response &MUST; include a WWW-Authenticate header field containing at 
    317    least one (possibly new) challenge applicable to the requested 
    318    resource. 
     314   Requests for protected resources that omit credentials, contain invalid 
     315   credentials (e.g., a bad password), or partial credentials (e.g., when the 
     316   authentication scheme requires more than one round trip) &SHOULD; return a 
     317   401 (Unauthorized) response. Such responses &MUST; include a 
     318   WWW-Authenticate header field containing at least one (possibly new) 
     319   challenge applicable to the requested resource. 
    319320</t> 
    320321<t> 
    321    If a proxy does not accept the credentials sent with a request, it &SHOULD; 
    322    return a 407 (Proxy Authentication Required) response. The 
    323    response &MUST; include a Proxy-Authenticate header field containing a 
    324    (possibly new) challenge applicable to the proxy for the requested 
    325    resource. 
     322   Likewise, requests that require authentication by proxies that omit 
     323   credentials, or contain invalid or partial credentials &SHOULD; return a 
     324   407 (Proxy Authentication Required) response. Such responses &MUST; 
     325   include a Proxy-Authenticate header field containing a (possibly new) 
     326   challenge applicable to the proxy. 
    326327</t> 
    327328<t> 
     329   A server receiving credentials that are valid, but not adequate to gain 
     330   access, ought to respond with the 403 (Forbidden) status code. 
     331</t> 
     332<t> 
    328333   The HTTP protocol does not restrict applications to this simple 
    329334   challenge-response mechanism for access authentication. Additional 
    330335   mechanisms &MAY; be used, such as encryption at the transport level or 
     
    11541159      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/349"/>: 
    11551160      "Strength" 
    11561161    </t> 
     1162    <t> 
     1163      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/357"/>: 
     1164      "Authentication exchanges" 
     1165    </t> 
    11571166  </list> 
    11581167</t> 
    11591168</section>