* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Changeset 1681


Ignore:
Timestamp:
2012-06-21 01:17:43 (2 years ago)
Author:
julian.reschke@gmx.de
Message:

Clarify authentication exchanges (see #357)

Location:
draft-ietf-httpbis/latest
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p7-auth.html

    r1678 r1681  
    449449  }  
    450450  @bottom-center { 
    451        content: "Expires December 19, 2012";  
     451       content: "Expires December 23, 2012";  
    452452  }  
    453453  @bottom-right { 
     
    489489      <meta name="dct.creator" content="Reschke, J. F."> 
    490490      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> 
    491       <meta name="dct.issued" scheme="ISO8601" content="2012-06-17"> 
     491      <meta name="dct.issued" scheme="ISO8601" content="2012-06-21"> 
    492492      <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 
    493493      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines the HTTP Authentication framework."> 
     
    520520            </tr> 
    521521            <tr> 
    522                <td class="left">Expires: December 19, 2012</td> 
     522               <td class="left">Expires: December 23, 2012</td> 
    523523               <td class="right">greenbytes</td> 
    524524            </tr> 
    525525            <tr> 
    526526               <td class="left"></td> 
    527                <td class="right">June 17, 2012</td> 
     527               <td class="right">June 21, 2012</td> 
    528528            </tr> 
    529529         </tbody> 
     
    553553         in progress”. 
    554554      </p> 
    555       <p>This Internet-Draft will expire on December 19, 2012.</p> 
     555      <p>This Internet-Draft will expire on December 23, 2012.</p> 
    556556      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 
    557557      <p>Copyright © 2012 IETF Trust and the persons identified as the document authors. All rights reserved.</p> 
     
    711711      </p> 
    712712      <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.c.2"></span><span id="rfc.iref.g.5"></span>  <a href="#challenge.and.response" class="smpl">credentials</a> = <a href="#challenge.and.response" class="smpl">auth-scheme</a> [ 1*<a href="#notation" class="smpl">SP</a> ( <a href="#challenge.and.response" class="smpl">b64token</a> / #<a href="#challenge.and.response" class="smpl">auth-param</a> ) ] 
    713 </pre><p id="rfc.section.2.1.p.14">If the origin server does not wish to accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 401 (Unauthorized) response. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. 
    714       </p> 
    715       <p id="rfc.section.2.1.p.15">If a proxy does not accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 407 (Proxy Authentication Required) response. The response <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested 
    716          resource. 
    717       </p> 
    718       <p id="rfc.section.2.1.p.16">The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional 
     713</pre><p id="rfc.section.2.1.p.14">Requests for protected resources that omit credentials, contain invalid credentials (e.g., a bad password), or partial credentials 
     714         (e.g., when the authentication scheme requires more than one round trip) <em class="bcp14">SHOULD</em> return a 401 (Unauthorized) response. Such responses <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. 
     715      </p> 
     716      <p id="rfc.section.2.1.p.15">Likewise, requests that require authentication by proxies that omit credentials, or contain invalid or partial credentials <em class="bcp14">SHOULD</em> return a 407 (Proxy Authentication Required) response. Such responses <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy. 
     717      </p> 
     718      <p id="rfc.section.2.1.p.16">A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the 403 (Forbidden) 
     719         status code. 
     720      </p> 
     721      <p id="rfc.section.2.1.p.17">The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional 
    719722         mechanisms <em class="bcp14">MAY</em> be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying 
    720723         authentication information. However, such additional mechanisms are not defined by this specification. 
    721724      </p> 
    722       <p id="rfc.section.2.1.p.17">Proxies <em class="bcp14">MUST</em> forward the WWW-Authenticate and Authorization headers unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>. 
     725      <p id="rfc.section.2.1.p.18">Proxies <em class="bcp14">MUST</em> forward the WWW-Authenticate and Authorization headers unmodified and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>. 
    723726      </p> 
    724727      <div id="rfc.iref.p.1"></div> 
     
    11451148         </li> 
    11461149         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/349">http://tools.ietf.org/wg/httpbis/trac/ticket/349</a>&gt;: "Strength" 
     1150         </li> 
     1151         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/357">http://tools.ietf.org/wg/httpbis/trac/ticket/357</a>&gt;: "Authentication exchanges" 
    11471152         </li> 
    11481153      </ul> 
  • draft-ietf-httpbis/latest/p7-auth.xml

    r1678 r1681  
    312312</artwork></figure> 
    313313<t> 
    314    If the origin server does not wish to accept the credentials sent 
    315    with a request, it &SHOULD; return a 401 (Unauthorized) response. The 
    316    response &MUST; include a WWW-Authenticate header field containing at 
    317    least one (possibly new) challenge applicable to the requested 
    318    resource. 
    319 </t> 
    320 <t> 
    321    If a proxy does not accept the credentials sent with a request, it &SHOULD; 
    322    return a 407 (Proxy Authentication Required) response. The 
    323    response &MUST; include a Proxy-Authenticate header field containing a 
    324    (possibly new) challenge applicable to the proxy for the requested 
    325    resource. 
     314   Requests for protected resources that omit credentials, contain invalid 
     315   credentials (e.g., a bad password), or partial credentials (e.g., when the 
     316   authentication scheme requires more than one round trip) &SHOULD; return a 
     317   401 (Unauthorized) response. Such responses &MUST; include a 
     318   WWW-Authenticate header field containing at least one (possibly new) 
     319   challenge applicable to the requested resource. 
     320</t> 
     321<t> 
     322   Likewise, requests that require authentication by proxies that omit 
     323   credentials, or contain invalid or partial credentials &SHOULD; return a 
     324   407 (Proxy Authentication Required) response. Such responses &MUST; 
     325   include a Proxy-Authenticate header field containing a (possibly new) 
     326   challenge applicable to the proxy. 
     327</t> 
     328<t> 
     329   A server receiving credentials that are valid, but not adequate to gain 
     330   access, ought to respond with the 403 (Forbidden) status code. 
    326331</t> 
    327332<t> 
     
    11551160      "Strength" 
    11561161    </t> 
     1162    <t> 
     1163      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/357"/>: 
     1164      "Authentication exchanges" 
     1165    </t> 
    11571166  </list> 
    11581167</t> 
Note: See TracChangeset for help on using the changeset viewer.