* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Changeset 998


Ignore:
Timestamp:
2010-09-13 07:47:24 (4 years ago)
Author:
julian.reschke@gmx.de
Message:

Incorporate auth framework from RFC 2617; ack RFC 2617's authors, fix known auth-param erratum (see #195)(see #237)

Location:
draft-ietf-httpbis/latest
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.html

    r994 r998  
    403403      <meta name="dct.creator" content="Reschke, J. F."> 
    404404      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p2-semantics-latest"> 
    405       <meta name="dct.issued" scheme="ISO8601" content="2010-09-07"> 
     405      <meta name="dct.issued" scheme="ISO8601" content="2010-09-13"> 
    406406      <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 
    407407      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 2 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 2 defines the semantics of HTTP messages as expressed by request methods, request-header fields, response status codes, and response-header fields."> 
     
    434434            </tr> 
    435435            <tr> 
    436                <td class="left">Expires: March 11, 2011</td> 
     436               <td class="left">Expires: March 17, 2011</td> 
    437437               <td class="right">HP</td> 
    438438            </tr> 
     
    487487            <tr> 
    488488               <td class="left"></td> 
    489                <td class="right">September 7, 2010</td> 
     489               <td class="right">September 13, 2010</td> 
    490490            </tr> 
    491491         </tbody> 
     
    514514         in progress”. 
    515515      </p> 
    516       <p>This Internet-Draft will expire on March 11, 2011.</p> 
     516      <p>This Internet-Draft will expire on March 17, 2011.</p> 
    517517      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 
    518518      <p>Copyright © 2010 IETF Trust and the persons identified as the document authors. All rights reserved.</p> 
     
    746746</pre><div id="rfc.figure.u.6"></div><pre class="inline">  <a href="#abnf.dependencies" class="smpl">Age</a>           = &lt;Age, defined in <a href="#Part6" id="rfc.xref.Part6.1"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>, <a href="p6-cache.html#header.age" title="Age">Section 3.1</a>&gt; 
    747747  <a href="#abnf.dependencies" class="smpl">Vary</a>          = &lt;Vary, defined in <a href="#Part6" id="rfc.xref.Part6.2"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>, <a href="p6-cache.html#header.vary" title="Vary">Section 3.5</a>&gt; 
    748 </pre><div id="rfc.figure.u.7"></div><pre class="inline">  <a href="#abnf.dependencies" class="smpl">Authorization</a> = &lt;Authorization, defined in <a href="#Part7" id="rfc.xref.Part7.1"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.authorization" title="Authorization">Section 3.1</a>&gt; 
     748</pre><div id="rfc.figure.u.7"></div><pre class="inline">  <a href="#abnf.dependencies" class="smpl">Authorization</a> = &lt;Authorization, defined in <a href="#Part7" id="rfc.xref.Part7.1"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.authorization" title="Authorization">Section 4.1</a>&gt; 
    749749  <a href="#abnf.dependencies" class="smpl">Proxy-Authenticate</a> = 
    750              &lt;Proxy-Authenticate, defined in <a href="#Part7" id="rfc.xref.Part7.2"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 3.2</a>&gt; 
     750             &lt;Proxy-Authenticate, defined in <a href="#Part7" id="rfc.xref.Part7.2"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 4.2</a>&gt; 
    751751  <a href="#abnf.dependencies" class="smpl">Proxy-Authorization</a> = 
    752              &lt;Proxy-Authorization, defined in <a href="#Part7" id="rfc.xref.Part7.3"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 3.3</a>&gt; 
     752             &lt;Proxy-Authorization, defined in <a href="#Part7" id="rfc.xref.Part7.3"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 4.3</a>&gt; 
    753753  <a href="#abnf.dependencies" class="smpl">WWW-Authenticate</a> =  
    754              &lt;WWW-Authenticate, defined in <a href="#Part7" id="rfc.xref.Part7.4"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 3.4</a>&gt; 
     754             &lt;WWW-Authenticate, defined in <a href="#Part7" id="rfc.xref.Part7.4"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 4.4</a>&gt; 
    755755</pre><h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;<a id="method" href="#method">Method</a></h1> 
    756756      <p id="rfc.section.2.p.1">The Method token indicates the method to be performed on the target resource (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.17"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). The method is case-sensitive. 
     
    795795                 / <a href="#abnf.dependencies" class="smpl">Accept-Encoding</a>          ; <a href="#Part3" id="rfc.xref.Part3.7"><cite title="HTTP/1.1, part 3: Message Payload and Content Negotiation">[Part3]</cite></a>, <a href="p3-payload.html#header.accept-encoding" title="Accept-Encoding">Section 6.3</a> 
    796796                 / <a href="#abnf.dependencies" class="smpl">Accept-Language</a>          ; <a href="#Part3" id="rfc.xref.Part3.8"><cite title="HTTP/1.1, part 3: Message Payload and Content Negotiation">[Part3]</cite></a>, <a href="p3-payload.html#header.accept-language" title="Accept-Language">Section 6.4</a> 
    797                  / <a href="#abnf.dependencies" class="smpl">Authorization</a>            ; <a href="#Part7" id="rfc.xref.Part7.5"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.authorization" title="Authorization">Section 3.1</a> 
     797                 / <a href="#abnf.dependencies" class="smpl">Authorization</a>            ; <a href="#Part7" id="rfc.xref.Part7.5"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.authorization" title="Authorization">Section 4.1</a> 
    798798                 / <a href="#header.expect" class="smpl">Expect</a>                   ; <a href="#header.expect" id="rfc.xref.header.expect.1" title="Expect">Section&nbsp;9.2</a> 
    799799                 / <a href="#header.from" class="smpl">From</a>                     ; <a href="#header.from" id="rfc.xref.header.from.1" title="From">Section&nbsp;9.3</a> 
     
    805805                 / <a href="#abnf.dependencies" class="smpl">If-Unmodified-Since</a>      ; <a href="#Part4" id="rfc.xref.Part4.9"><cite title="HTTP/1.1, part 4: Conditional Requests">[Part4]</cite></a>, <a href="p4-conditional.html#header.if-unmodified-since" title="If-Unmodified-Since">Section 6.5</a> 
    806806                 / <a href="#header.max-forwards" class="smpl">Max-Forwards</a>             ; <a href="#header.max-forwards" id="rfc.xref.header.max-forwards.1" title="Max-Forwards">Section&nbsp;9.5</a> 
    807                  / <a href="#abnf.dependencies" class="smpl">Proxy-Authorization</a>      ; <a href="#Part7" id="rfc.xref.Part7.6"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 3.3</a> 
     807                 / <a href="#abnf.dependencies" class="smpl">Proxy-Authorization</a>      ; <a href="#Part7" id="rfc.xref.Part7.6"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authorization" title="Proxy-Authorization">Section 4.3</a> 
    808808                 / <a href="#abnf.dependencies" class="smpl">Range</a>                    ; <a href="#Part5" id="rfc.xref.Part5.5"><cite title="HTTP/1.1, part 5: Range Requests and Partial Responses">[Part5]</cite></a>, <a href="p5-range.html#header.range" title="Range">Section 5.4</a> 
    809809                 / <a href="#header.referer" class="smpl">Referer</a>                  ; <a href="#header.referer" id="rfc.xref.header.referer.1" title="Referer">Section&nbsp;9.6</a> 
     
    815815      <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a>&nbsp;<a id="status.code.and.reason.phrase" href="#status.code.and.reason.phrase">Status Code and Reason Phrase</a></h1> 
    816816      <p id="rfc.section.4.p.1">The Status-Code element is a 3-digit integer result code of the attempt to understand and satisfy the request. The status 
    817          codes listed below are defined in <a href="#status.codes" title="Status Code Definitions">Section&nbsp;8</a>, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="HTTP/1.1, part 4: Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="HTTP/1.1, part 5: Range Requests and Partial Responses">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 2</a> of <a href="#Part7" id="rfc.xref.Part7.7"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>. 
     817         codes listed below are defined in <a href="#status.codes" title="Status Code Definitions">Section&nbsp;8</a>, <a href="p4-conditional.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part4" id="rfc.xref.Part4.10"><cite title="HTTP/1.1, part 4: Conditional Requests">[Part4]</cite></a>, <a href="p5-range.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part5" id="rfc.xref.Part5.6"><cite title="HTTP/1.1, part 5: Range Requests and Partial Responses">[Part5]</cite></a>, and <a href="p7-auth.html#status.code.definitions" title="Status Code Definitions">Section 3</a> of <a href="#Part7" id="rfc.xref.Part7.7"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>. 
    818818      </p> 
    819819      <p id="rfc.section.4.p.2">The Reason-Phrase is intended to give a short textual description of the Status-Code. The Status-Code is intended for use 
     
    841841     / "307"  ; <a href="#status.307" id="rfc.xref.status.307.1" title="307 Temporary Redirect">Section&nbsp;8.3.8</a>: Temporary Redirect 
    842842     / "400"  ; <a href="#status.400" id="rfc.xref.status.400.1" title="400 Bad Request">Section&nbsp;8.4.1</a>: Bad Request 
    843      / "401"  ; <a href="#Part7" id="rfc.xref.Part7.8"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#status.401" title="401 Unauthorized">Section 2.1</a>: Unauthorized 
     843     / "401"  ; <a href="#Part7" id="rfc.xref.Part7.8"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#status.401" title="401 Unauthorized">Section 3.1</a>: Unauthorized 
    844844     / "402"  ; <a href="#status.402" id="rfc.xref.status.402.1" title="402 Payment Required">Section&nbsp;8.4.3</a>: Payment Required 
    845845     / "403"  ; <a href="#status.403" id="rfc.xref.status.403.1" title="403 Forbidden">Section&nbsp;8.4.4</a>: Forbidden 
     
    847847     / "405"  ; <a href="#status.405" id="rfc.xref.status.405.1" title="405 Method Not Allowed">Section&nbsp;8.4.6</a>: Method Not Allowed 
    848848     / "406"  ; <a href="#status.406" id="rfc.xref.status.406.1" title="406 Not Acceptable">Section&nbsp;8.4.7</a>: Not Acceptable 
    849      / "407"  ; <a href="#Part7" id="rfc.xref.Part7.9"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 2.2</a>: Proxy Authentication Required 
     849     / "407"  ; <a href="#Part7" id="rfc.xref.Part7.9"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 3.2</a>: Proxy Authentication Required 
    850850     / "408"  ; <a href="#status.408" id="rfc.xref.status.408.1" title="408 Request Timeout">Section&nbsp;8.4.9</a>: Request Time-out 
    851851     / "409"  ; <a href="#status.409" id="rfc.xref.status.409.1" title="409 Conflict">Section&nbsp;8.4.10</a>: Conflict 
     
    889889                  / <a href="#abnf.dependencies" class="smpl">ETag</a>                    ; <a href="#Part4" id="rfc.xref.Part4.13"><cite title="HTTP/1.1, part 4: Conditional Requests">[Part4]</cite></a>, <a href="p4-conditional.html#header.etag" title="ETag">Section 6.1</a> 
    890890                  / <a href="#header.location" class="smpl">Location</a>                ; <a href="#header.location" id="rfc.xref.header.location.1" title="Location">Section&nbsp;9.4</a> 
    891                   / <a href="#abnf.dependencies" class="smpl">Proxy-Authenticate</a>      ; <a href="#Part7" id="rfc.xref.Part7.10"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 3.2</a> 
     891                  / <a href="#abnf.dependencies" class="smpl">Proxy-Authenticate</a>      ; <a href="#Part7" id="rfc.xref.Part7.10"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.proxy-authenticate" title="Proxy-Authenticate">Section 4.2</a> 
    892892                  / <a href="#header.retry-after" class="smpl">Retry-After</a>             ; <a href="#header.retry-after" id="rfc.xref.header.retry-after.1" title="Retry-After">Section&nbsp;9.7</a> 
    893893                  / <a href="#header.server" class="smpl">Server</a>                  ; <a href="#header.server" id="rfc.xref.header.server.1" title="Server">Section&nbsp;9.8</a> 
    894894                  / <a href="#abnf.dependencies" class="smpl">Vary</a>                    ; <a href="#Part6" id="rfc.xref.Part6.4"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>, <a href="p6-cache.html#header.vary" title="Vary">Section 3.5</a> 
    895                   / <a href="#abnf.dependencies" class="smpl">WWW-Authenticate</a>        ; <a href="#Part7" id="rfc.xref.Part7.11"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 3.4</a> 
     895                  / <a href="#abnf.dependencies" class="smpl">WWW-Authenticate</a>        ; <a href="#Part7" id="rfc.xref.Part7.11"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>, <a href="p7-auth.html#header.www-authenticate" title="WWW-Authenticate">Section 4.4</a> 
    896896</pre><p id="rfc.section.5.p.3">Response-header field names can be extended reliably only in combination with a change in the protocol version. However, new 
    897897         or experimental header fields <em class="bcp14">MAY</em> be given the semantics of response-header fields if all parties in the communication recognize them to be response-header 
     
    13381338      <div id="rfc.iref.s.20"></div> 
    13391339      <h3 id="rfc.section.8.4.2"><a href="#rfc.section.8.4.2">8.4.2</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h3> 
    1340       <p id="rfc.section.8.4.2.p.1">The request requires user authentication (see <a href="p7-auth.html#status.401" title="401 Unauthorized">Section 2.1</a> of <a href="#Part7" id="rfc.xref.Part7.12"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>). 
     1340      <p id="rfc.section.8.4.2.p.1">The request requires user authentication (see <a href="p7-auth.html#status.401" title="401 Unauthorized">Section 3.1</a> of <a href="#Part7" id="rfc.xref.Part7.12"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>). 
    13411341      </p> 
    13421342      <div id="rfc.iref.44"></div> 
     
    13851385      <div id="rfc.iref.s.26"></div> 
    13861386      <h3 id="rfc.section.8.4.8"><a href="#rfc.section.8.4.8">8.4.8</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h3> 
    1387       <p id="rfc.section.8.4.8.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy (see <a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 2.2</a> of <a href="#Part7" id="rfc.xref.Part7.13"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>). 
     1387      <p id="rfc.section.8.4.8.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy (see <a href="p7-auth.html#status.407" title="407 Proxy Authentication Required">Section 3.2</a> of <a href="#Part7" id="rfc.xref.Part7.13"><cite title="HTTP/1.1, part 7: Authentication">[Part7]</cite></a>). 
    13881388      </p> 
    13891389      <div id="rfc.iref.50"></div> 
     
    22752275<a href="#header.allow" class="smpl">Allow</a> = "Allow:" OWS Allow-v 
    22762276<a href="#header.allow" class="smpl">Allow-v</a> = [ ( "," / Method ) *( OWS "," [ OWS Method ] ) ] 
    2277 <a href="#abnf.dependencies" class="smpl">Authorization</a> = &lt;Authorization, defined in [Part7], Section 3.1&gt; 
     2277<a href="#abnf.dependencies" class="smpl">Authorization</a> = &lt;Authorization, defined in [Part7], Section 4.1&gt; 
    22782278 
    22792279<a href="#abnf.dependencies" class="smpl">ETag</a> = &lt;ETag, defined in [Part4], Section 6.1&gt; 
     
    23132313 
    23142314Proxy-Authenticate = 
    2315  &lt;Proxy-Authenticate, defined in [Part7], Section 3.2&gt; 
     2315 &lt;Proxy-Authenticate, defined in [Part7], Section 4.2&gt; 
    23162316Proxy-Authorization = 
    2317  &lt;Proxy-Authorization, defined in [Part7], Section 3.3&gt; 
     2317 &lt;Proxy-Authorization, defined in [Part7], Section 4.3&gt; 
    23182318 
    23192319<a href="#core.rules" class="smpl">RWS</a> = &lt;RWS, defined in [Part1], Section 1.2.2&gt; 
     
    23432343 
    23442344WWW-Authenticate = 
    2345  &lt;WWW-Authenticate, defined in [Part7], Section 3.4&gt; 
     2345 &lt;WWW-Authenticate, defined in [Part7], Section 4.4&gt; 
    23462346 
    23472347<a href="#abnf.dependencies" class="smpl">absolute-URI</a> = &lt;absolute-URI, defined in [Part1], Section 2.6&gt; 
     
    27892789                  </li> 
    27902790                  <li class="indline1"><em>Part7</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.1">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.2">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.3">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.4">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.5">3</a>, <a class="iref" href="#rfc.xref.Part7.6">3</a>, <a class="iref" href="#rfc.xref.Part7.7">4</a>, <a class="iref" href="#rfc.xref.Part7.8">4</a>, <a class="iref" href="#rfc.xref.Part7.9">4</a>, <a class="iref" href="#rfc.xref.Part7.10">5</a>, <a class="iref" href="#rfc.xref.Part7.11">5</a>, <a class="iref" href="#rfc.xref.Part7.12">8.4.2</a>, <a class="iref" href="#rfc.xref.Part7.13">8.4.8</a>, <a class="iref" href="#Part7"><b>13.1</b></a><ul class="ind"> 
    2791                         <li class="indline1"><em>Section 2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.7">4</a></li> 
    2792                         <li class="indline1"><em>Section 2.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.8">4</a>, <a class="iref" href="#rfc.xref.Part7.12">8.4.2</a></li> 
    2793                         <li class="indline1"><em>Section 2.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.9">4</a>, <a class="iref" href="#rfc.xref.Part7.13">8.4.8</a></li> 
    2794                         <li class="indline1"><em>Section 3.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.1">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.5">3</a></li> 
    2795                         <li class="indline1"><em>Section 3.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.2">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.10">5</a></li> 
    2796                         <li class="indline1"><em>Section 3.3</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.3">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.6">3</a></li> 
    2797                         <li class="indline1"><em>Section 3.4</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.4">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.11">5</a></li> 
     2791                        <li class="indline1"><em>Section 3</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.7">4</a></li> 
     2792                        <li class="indline1"><em>Section 3.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.8">4</a>, <a class="iref" href="#rfc.xref.Part7.12">8.4.2</a></li> 
     2793                        <li class="indline1"><em>Section 3.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.9">4</a>, <a class="iref" href="#rfc.xref.Part7.13">8.4.8</a></li> 
     2794                        <li class="indline1"><em>Section 4.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.1">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.5">3</a></li> 
     2795                        <li class="indline1"><em>Section 4.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.2">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.10">5</a></li> 
     2796                        <li class="indline1"><em>Section 4.3</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.3">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.6">3</a></li> 
     2797                        <li class="indline1"><em>Section 4.4</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part7.4">1.2.2</a>, <a class="iref" href="#rfc.xref.Part7.11">5</a></li> 
    27982798                     </ul> 
    27992799                  </li> 
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r994 r998  
    33193319<x:ref>Allow</x:ref> = "Allow:" OWS Allow-v 
    33203320<x:ref>Allow-v</x:ref> = [ ( "," / Method ) *( OWS "," [ OWS Method ] ) ] 
    3321 <x:ref>Authorization</x:ref> = &lt;Authorization, defined in [Part7], Section 3.1&gt; 
     3321<x:ref>Authorization</x:ref> = &lt;Authorization, defined in [Part7], Section 4.1&gt; 
    33223322 
    33233323<x:ref>ETag</x:ref> = &lt;ETag, defined in [Part4], Section 6.1&gt; 
     
    33573357 
    33583358Proxy-Authenticate = 
    3359  &lt;Proxy-Authenticate, defined in [Part7], Section 3.2&gt; 
     3359 &lt;Proxy-Authenticate, defined in [Part7], Section 4.2&gt; 
    33603360Proxy-Authorization = 
    3361  &lt;Proxy-Authorization, defined in [Part7], Section 3.3&gt; 
     3361 &lt;Proxy-Authorization, defined in [Part7], Section 4.3&gt; 
    33623362 
    33633363<x:ref>RWS</x:ref> = &lt;RWS, defined in [Part1], Section 1.2.2&gt; 
     
    33873387 
    33883388WWW-Authenticate = 
    3389  &lt;WWW-Authenticate, defined in [Part7], Section 3.4&gt; 
     3389 &lt;WWW-Authenticate, defined in [Part7], Section 4.4&gt; 
    33903390 
    33913391<x:ref>absolute-URI</x:ref> = &lt;absolute-URI, defined in [Part1], Section 2.6&gt; 
  • draft-ietf-httpbis/latest/p7-auth.html

    r994 r998  
    2929cite { 
    3030  font-style: normal; 
     31} 
     32div.note { 
     33  margin-left: 2em; 
    3134} 
    3235dd { 
     
    373376      <link rel="Index" href="#rfc.index"> 
    374377      <link rel="Chapter" title="1 Introduction" href="#rfc.section.1"> 
    375       <link rel="Chapter" title="2 Status Code Definitions" href="#rfc.section.2"> 
    376       <link rel="Chapter" title="3 Header Field Definitions" href="#rfc.section.3"> 
    377       <link rel="Chapter" title="4 IANA Considerations" href="#rfc.section.4"> 
    378       <link rel="Chapter" title="5 Security Considerations" href="#rfc.section.5"> 
    379       <link rel="Chapter" title="6 Acknowledgments" href="#rfc.section.6"> 
    380       <link rel="Chapter" href="#rfc.section.7" title="7 References"> 
     378      <link rel="Chapter" title="2 Access Authentication Framework" href="#rfc.section.2"> 
     379      <link rel="Chapter" title="3 Status Code Definitions" href="#rfc.section.3"> 
     380      <link rel="Chapter" title="4 Header Field Definitions" href="#rfc.section.4"> 
     381      <link rel="Chapter" title="5 IANA Considerations" href="#rfc.section.5"> 
     382      <link rel="Chapter" title="6 Security Considerations" href="#rfc.section.6"> 
     383      <link rel="Chapter" title="7 Acknowledgments" href="#rfc.section.7"> 
     384      <link rel="Chapter" href="#rfc.section.8" title="8 References"> 
    381385      <link rel="Appendix" title="A Collected ABNF" href="#rfc.section.A"> 
    382386      <link rel="Appendix" title="B Change Log (to be removed by RFC Editor before publication)" href="#rfc.section.B"> 
     
    393397      <meta name="dct.creator" content="Reschke, J. F."> 
    394398      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p7-auth-latest"> 
    395       <meta name="dct.issued" scheme="ISO8601" content="2010-09-07"> 
     399      <meta name="dct.issued" scheme="ISO8601" content="2010-09-13"> 
    396400      <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 
    397401      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is an application-level protocol for distributed, collaborative, hypermedia information systems. HTTP has been in use by the World Wide Web global information initiative since 1990. This document is Part 7 of the seven-part specification that defines the protocol referred to as &#34;HTTP/1.1&#34; and, taken together, obsoletes RFC 2616. Part 7 defines HTTP Authentication."> 
     
    424428            </tr> 
    425429            <tr> 
    426                <td class="left">Expires: March 11, 2011</td> 
     430               <td class="left">Expires: March 17, 2011</td> 
    427431               <td class="right">HP</td> 
    428432            </tr> 
     
    477481            <tr> 
    478482               <td class="left"></td> 
    479                <td class="right">September 7, 2010</td> 
     483               <td class="right">September 13, 2010</td> 
    480484            </tr> 
    481485         </tbody> 
     
    503507         in progress”. 
    504508      </p> 
    505       <p>This Internet-Draft will expire on March 11, 2011.</p> 
     509      <p>This Internet-Draft will expire on March 17, 2011.</p> 
    506510      <h1><a id="rfc.copyrightnotice" href="#rfc.copyrightnotice">Copyright Notice</a></h1> 
    507511      <p>Copyright © 2010 IETF Trust and the persons identified as the document authors. All rights reserved.</p> 
     
    525529               <li class="tocline1">1.2&nbsp;&nbsp;&nbsp;<a href="#notation">Syntax Notation</a><ul class="toc"> 
    526530                     <li class="tocline1">1.2.1&nbsp;&nbsp;&nbsp;<a href="#core.rules">Core Rules</a></li> 
    527                      <li class="tocline1">1.2.2&nbsp;&nbsp;&nbsp;<a href="#abnf.dependencies">ABNF Rules defined in other Parts of the Specification</a></li> 
    528531                  </ul> 
    529532               </li> 
    530533            </ul> 
    531534         </li> 
    532          <li class="tocline0">2.&nbsp;&nbsp;&nbsp;<a href="#status.code.definitions">Status Code Definitions</a><ul class="toc"> 
    533                <li class="tocline1">2.1&nbsp;&nbsp;&nbsp;<a href="#status.401">401 Unauthorized</a></li> 
    534                <li class="tocline1">2.2&nbsp;&nbsp;&nbsp;<a href="#status.407">407 Proxy Authentication Required</a></li> 
     535         <li class="tocline0">2.&nbsp;&nbsp;&nbsp;<a href="#access.authentication.framework">Access Authentication Framework</a></li> 
     536         <li class="tocline0">3.&nbsp;&nbsp;&nbsp;<a href="#status.code.definitions">Status Code Definitions</a><ul class="toc"> 
     537               <li class="tocline1">3.1&nbsp;&nbsp;&nbsp;<a href="#status.401">401 Unauthorized</a></li> 
     538               <li class="tocline1">3.2&nbsp;&nbsp;&nbsp;<a href="#status.407">407 Proxy Authentication Required</a></li> 
    535539            </ul> 
    536540         </li> 
    537          <li class="tocline0">3.&nbsp;&nbsp;&nbsp;<a href="#header.fields">Header Field Definitions</a><ul class="toc"> 
    538                <li class="tocline1">3.1&nbsp;&nbsp;&nbsp;<a href="#header.authorization">Authorization</a></li> 
    539                <li class="tocline1">3.2&nbsp;&nbsp;&nbsp;<a href="#header.proxy-authenticate">Proxy-Authenticate</a></li> 
    540                <li class="tocline1">3.3&nbsp;&nbsp;&nbsp;<a href="#header.proxy-authorization">Proxy-Authorization</a></li> 
    541                <li class="tocline1">3.4&nbsp;&nbsp;&nbsp;<a href="#header.www-authenticate">WWW-Authenticate</a></li> 
     541         <li class="tocline0">4.&nbsp;&nbsp;&nbsp;<a href="#header.fields">Header Field Definitions</a><ul class="toc"> 
     542               <li class="tocline1">4.1&nbsp;&nbsp;&nbsp;<a href="#header.authorization">Authorization</a></li> 
     543               <li class="tocline1">4.2&nbsp;&nbsp;&nbsp;<a href="#header.proxy-authenticate">Proxy-Authenticate</a></li> 
     544               <li class="tocline1">4.3&nbsp;&nbsp;&nbsp;<a href="#header.proxy-authorization">Proxy-Authorization</a></li> 
     545               <li class="tocline1">4.4&nbsp;&nbsp;&nbsp;<a href="#header.www-authenticate">WWW-Authenticate</a></li> 
    542546            </ul> 
    543547         </li> 
    544          <li class="tocline0">4.&nbsp;&nbsp;&nbsp;<a href="#IANA.considerations">IANA Considerations</a><ul class="toc"> 
    545                <li class="tocline1">4.1&nbsp;&nbsp;&nbsp;<a href="#status.code.registration">Status Code Registration</a></li> 
    546                <li class="tocline1">4.2&nbsp;&nbsp;&nbsp;<a href="#header.field.registration">Header Field Registration</a></li> 
     548         <li class="tocline0">5.&nbsp;&nbsp;&nbsp;<a href="#IANA.considerations">IANA Considerations</a><ul class="toc"> 
     549               <li class="tocline1">5.1&nbsp;&nbsp;&nbsp;<a href="#status.code.registration">Status Code Registration</a></li> 
     550               <li class="tocline1">5.2&nbsp;&nbsp;&nbsp;<a href="#header.field.registration">Header Field Registration</a></li> 
    547551            </ul> 
    548552         </li> 
    549          <li class="tocline0">5.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul class="toc"> 
    550                <li class="tocline1">5.1&nbsp;&nbsp;&nbsp;<a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li> 
     553         <li class="tocline0">6.&nbsp;&nbsp;&nbsp;<a href="#security.considerations">Security Considerations</a><ul class="toc"> 
     554               <li class="tocline1">6.1&nbsp;&nbsp;&nbsp;<a href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></li> 
    551555            </ul> 
    552556         </li> 
    553          <li class="tocline0">6.&nbsp;&nbsp;&nbsp;<a href="#ack">Acknowledgments</a></li> 
    554          <li class="tocline0">7.&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul class="toc"> 
    555                <li class="tocline1">7.1&nbsp;&nbsp;&nbsp;<a href="#rfc.references.1">Normative References</a></li> 
    556                <li class="tocline1">7.2&nbsp;&nbsp;&nbsp;<a href="#rfc.references.2">Informative References</a></li> 
     557         <li class="tocline0">7.&nbsp;&nbsp;&nbsp;<a href="#ack">Acknowledgments</a></li> 
     558         <li class="tocline0">8.&nbsp;&nbsp;&nbsp;<a href="#rfc.references">References</a><ul class="toc"> 
     559               <li class="tocline1">8.1&nbsp;&nbsp;&nbsp;<a href="#rfc.references.1">Normative References</a></li> 
     560               <li class="tocline1">8.2&nbsp;&nbsp;&nbsp;<a href="#rfc.references.2">Informative References</a></li> 
    557561            </ul> 
    558562         </li> 
     
    578582      </ul> 
    579583      <h1 id="rfc.section.1" class="np"><a href="#rfc.section.1">1.</a>&nbsp;<a id="introduction" href="#introduction">Introduction</a></h1> 
    580       <p id="rfc.section.1.p.1">This document defines HTTP/1.1 access control and authentication. Right now it includes the extracted relevant sections of <cite title="Hypertext Transfer Protocol -- HTTP/1.1" id="rfc.xref.RFC2616.1">RFC 2616</cite> with only minor changes. The intention is to move the general framework for HTTP authentication here, as currently specified 
    581          in <a href="#RFC2617" id="rfc.xref.RFC2617.1"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, and allow the individual authentication mechanisms to be defined elsewhere. This introduction will be rewritten when that 
    582          occurs. 
     584      <p id="rfc.section.1.p.1">This document defines HTTP/1.1 access control and authentication. It includes the relevant parts of <cite title="Hypertext Transfer Protocol -- HTTP/1.1" id="rfc.xref.RFC2616.1">RFC 2616</cite> with only minor changes, plus the general framework for HTTP authentication, as previously defined in "HTTP Authentication: 
     585         Basic and Digest Access Authentication" (<a href="#RFC2617" id="rfc.xref.RFC2617.1"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>). 
    583586      </p> 
    584587      <p id="rfc.section.1.p.2">HTTP provides several <em class="bcp14">OPTIONAL</em> challenge-response authentication mechanisms which can be used by a server to challenge a client request and by a client to 
    585          provide authentication information. The general framework for access authentication, and the specification of "basic" and 
    586          "digest" authentication, are specified in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.2"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. This specification adopts the definitions of "challenge" and "credentials" from that specification. 
     588         provide authentication information. The "basic" and "digest" authentication schemes continue to be specified in <cite title="HTTP Authentication: Basic and Digest Access Authentication" id="rfc.xref.RFC2617.2">RFC 2617</cite>. 
    587589      </p> 
    588590      <h2 id="rfc.section.1.1"><a href="#rfc.section.1.1">1.1</a>&nbsp;<a id="intro.requirements" href="#intro.requirements">Requirements</a></h2> 
     
    605607      <p id="rfc.section.1.2.1.p.1">The core rules below are defined in <a href="p1-messaging.html#basic.rules" title="Basic Rules">Section 1.2.2</a> of <a href="#Part1" id="rfc.xref.Part1.2"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>: 
    606608      </p> 
    607       <div id="rfc.figure.u.1"></div><pre class="inline">  <a href="#core.rules" class="smpl">OWS</a>         = &lt;OWS, defined in <a href="#Part1" id="rfc.xref.Part1.3"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>, <a href="p1-messaging.html#basic.rules" title="Basic Rules">Section 1.2.2</a>&gt; 
    608 </pre><h3 id="rfc.section.1.2.2"><a href="#rfc.section.1.2.2">1.2.2</a>&nbsp;<a id="abnf.dependencies" href="#abnf.dependencies">ABNF Rules defined in other Parts of the Specification</a></h3> 
    609       <p id="rfc.section.1.2.2.p.1">  The ABNF rules below are defined in other specifications:</p> 
    610       <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span>  <a href="#abnf.dependencies" class="smpl">challenge</a>   = &lt;challenge, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.3"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>&gt; 
    611   <a href="#abnf.dependencies" class="smpl">credentials</a> = &lt;credentials, defined in <a href="#RFC2617" id="rfc.xref.RFC2617.4"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>, <a href="http://tools.ietf.org/html/rfc2617#section-1.2">Section 1.2</a>&gt; 
    612 </pre><h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 
    613       <div id="rfc.iref.2"></div> 
     609      <div id="rfc.figure.u.1"></div><pre class="inline">  <a href="#core.rules" class="smpl">quoted-string</a> = &lt;quoted-string, defined in <a href="#Part1" id="rfc.xref.Part1.3"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>, <a href="p1-messaging.html#basic.rules" title="Basic Rules">Section 1.2.2</a>&gt; 
     610  <a href="#core.rules" class="smpl">token</a>         = &lt;token, defined in <a href="#Part1" id="rfc.xref.Part1.4"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>, <a href="p1-messaging.html#basic.rules" title="Basic Rules">Section 1.2.2</a>&gt; 
     611  <a href="#core.rules" class="smpl">OWS</a>           = &lt;OWS, defined in <a href="#Part1" id="rfc.xref.Part1.5"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>, <a href="p1-messaging.html#basic.rules" title="Basic Rules">Section 1.2.2</a>&gt; 
     612</pre><h1 id="rfc.section.2"><a href="#rfc.section.2">2.</a>&nbsp;<a id="access.authentication.framework" href="#access.authentication.framework">Access Authentication Framework</a></h1> 
     613      <p id="rfc.section.2.p.1">HTTP provides a simple challenge-response authentication mechanism that can be used by a server to challenge a client request 
     614         and by a client to provide authentication information. It uses an extensible, case-insensitive token to identify the authentication 
     615         scheme, followed by a comma-separated list of attribute-value pairs which carry the parameters necessary for achieving authentication 
     616         via that scheme. 
     617      </p> 
     618      <div id="rfc.figure.u.2"></div><pre class="inline"><span id="rfc.iref.a.1"></span><span id="rfc.iref.a.2"></span>  auth-scheme    = token 
     619  auth-param     = token "=" ( token / quoted-string ) 
     620</pre><p id="rfc.section.2.p.3">The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource. The 407 (Proxy 
     621         Authentication Required) response message is used by a proxy to challenge the authorization of a client and <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing at least one challenge applicable to the proxy for the requested resource. 
     622      </p> 
     623      <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.c.1"></span>  <a href="#access.authentication.framework" class="smpl">challenge</a>   = <a href="#access.authentication.framework" class="smpl">auth-scheme</a> 1*<a href="#notation" class="smpl">SP</a> 1#<a href="#access.authentication.framework" class="smpl">auth-param</a> 
     624</pre><div class="note" id="rfc.section.2.p.5">  
     625         <p> <b>Note:</b> User agents will need to take special care in parsing the WWW-Authenticate or Proxy-Authenticate header field value if it 
     626            contains more than one challenge, or if more than one WWW-Authenticate header field is provided, since the contents of a challenge 
     627            can itself contain a comma-separated list of authentication parameters. 
     628         </p>  
     629      </div> 
     630      <p id="rfc.section.2.p.6">The authentication parameter realm is defined for all authentication schemes:</p> 
     631      <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.r.1"></span><span id="rfc.iref.r.2"></span>  realm       = "realm" "=" realm-value 
     632  realm-value = quoted-string 
     633</pre><p id="rfc.section.2.p.8">The realm directive (case-insensitive) is required for all authentication schemes that issue a challenge. The realm value 
     634         (case-sensitive), in combination with the canonical root URL ( the scheme and authority components of the effective request 
     635         URI; see <a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.6"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>) of the server being accessed, defines the protection space. These realms allow the protected resources on a server to be 
     636         partitioned into a set of protection spaces, each with its own authentication scheme and/or authorization database. The realm 
     637         value is a string, generally assigned by the origin server, which can have additional semantics specific to the authentication 
     638         scheme. Note that there can be multiple challenges with the same auth-scheme but different realms. 
     639      </p> 
     640      <p id="rfc.section.2.p.9">A user agent that wishes to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 
     641         (Unauthorized) -- <em class="bcp14">MAY</em> do so by including an Authorization header field with the request. A client that wishes to authenticate itself with a proxy 
     642         -- usually, but not necessarily, after receiving a 407 (Proxy Authentication Required) -- <em class="bcp14">MAY</em> do so by including a Proxy-Authorization header field with the request. Both the Authorization field value and the Proxy-Authorization 
     643         field value consist of credentials containing the authentication information of the client for the realm of the resource being 
     644         requested. The user agent <em class="bcp14">MUST</em> choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based 
     645         upon that challenge. 
     646      </p> 
     647      <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.c.2"></span>  <a href="#access.authentication.framework" class="smpl">credentials</a> = <a href="#access.authentication.framework" class="smpl">auth-scheme</a> ( <a href="#core.rules" class="smpl">token</a> 
     648                            / <a href="#core.rules" class="smpl">quoted-string</a> 
     649                            / #<a href="#access.authentication.framework" class="smpl">auth-param</a> ) 
     650</pre><div class="note" id="rfc.section.2.p.11">  
     651         <p> <b>Note:</b> many browsers will only recognize Basic and will require that it be the first auth-scheme presented. Servers should only include 
     652            Basic if it is minimally acceptable.<span class="comment" id="rfc.comment.1">[<a href="#rfc.comment.1" class="smpl">rfc.comment.1</a>: Either rephrase and add reference or drop.]</span>  
     653         </p>  
     654      </div> 
     655      <p id="rfc.section.2.p.12">The protection space determines the domain over which credentials can be automatically applied. If a prior request has been 
     656         authorized, the same credentials <em class="bcp14">MAY</em> be reused for all other requests within that protection space for a period of time determined by the authentication scheme, 
     657         parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot 
     658         extend outside the scope of its server. 
     659      </p> 
     660      <p id="rfc.section.2.p.13">If the origin server does not wish to accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 401 (Unauthorized) response. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field containing at least one (possibly new) challenge applicable to the requested resource. 
     661         If a proxy does not accept the credentials sent with a request, it <em class="bcp14">SHOULD</em> return a 407 (Proxy Authentication Required). The response <em class="bcp14">MUST</em> include a Proxy-Authenticate header field containing a (possibly new) challenge applicable to the proxy for the requested 
     662         resource. 
     663      </p> 
     664      <p id="rfc.section.2.p.14">The HTTP protocol does not restrict applications to this simple challenge-response mechanism for access authentication. Additional 
     665         mechanisms <em class="bcp14">MAY</em> be used, such as encryption at the transport level or via message encapsulation, and with additional header fields specifying 
     666         authentication information. However, these additional mechanisms are not defined by this specification. 
     667      </p> 
     668      <p id="rfc.section.2.p.15">Proxies <em class="bcp14">MUST</em> be completely transparent regarding user agent authentication by origin servers. That is, they <em class="bcp14">MUST</em> forward the WWW-Authenticate and Authorization headers untouched, and follow the rules found in <a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;4.1</a>. Both the Proxy-Authenticate and the Proxy-Authorization header fields are hop-by-hop headers (see <a href="p1-messaging.html#end-to-end.and.hop-by-hop.header-fields" title="End-to-end and Hop-by-hop Header Fields">Section 7.1.3.1</a> of <a href="#Part1" id="rfc.xref.Part1.7"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). 
     669      </p> 
     670      <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="status.code.definitions" href="#status.code.definitions">Status Code Definitions</a></h1> 
     671      <div id="rfc.iref.6"></div> 
    614672      <div id="rfc.iref.s.1"></div> 
    615       <h2 id="rfc.section.2.1"><a href="#rfc.section.2.1">2.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2> 
    616       <p id="rfc.section.2.1.p.1">The request requires user authentication. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field (<a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.1" title="WWW-Authenticate">Section&nbsp;3.4</a>) containing a challenge applicable to the target resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Authorization header field (<a href="#header.authorization" id="rfc.xref.header.authorization.1" title="Authorization">Section&nbsp;3.1</a>). If the request already included Authorization credentials, then the 401 response indicates that authorization has been 
     673      <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="status.401" href="#status.401">401 Unauthorized</a></h2> 
     674      <p id="rfc.section.3.1.p.1">The request requires user authentication. The response <em class="bcp14">MUST</em> include a WWW-Authenticate header field (<a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.1" title="WWW-Authenticate">Section&nbsp;4.4</a>) containing a challenge applicable to the target resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Authorization header field (<a href="#header.authorization" id="rfc.xref.header.authorization.2" title="Authorization">Section&nbsp;4.1</a>). If the request already included Authorization credentials, then the 401 response indicates that authorization has been 
    617675         refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has 
    618676         already attempted authentication at least once, then the user <em class="bcp14">SHOULD</em> be presented the representation that was given in the response, since that representation might include relevant diagnostic 
    619          information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.5"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. 
    620       </p> 
    621       <div id="rfc.iref.3"></div> 
     677         information. 
     678      </p> 
     679      <div id="rfc.iref.7"></div> 
    622680      <div id="rfc.iref.s.2"></div> 
    623       <h2 id="rfc.section.2.2"><a href="#rfc.section.2.2">2.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2> 
    624       <p id="rfc.section.2.2.p.1">This code is similar to 401 (Unauthorized), but indicates that the client must first authenticate itself with the proxy. The 
    625          proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;3.2</a>) containing a challenge applicable to the proxy for the target resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;3.3</a>). HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.6"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. 
    626       </p> 
    627       <h1 id="rfc.section.3"><a href="#rfc.section.3">3.</a>&nbsp;<a id="header.fields" href="#header.fields">Header Field Definitions</a></h1> 
    628       <p id="rfc.section.3.p.1">This section defines the syntax and semantics of HTTP/1.1 header fields related to authentication.</p> 
    629       <div id="rfc.iref.a.1"></div> 
     681      <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="status.407" href="#status.407">407 Proxy Authentication Required</a></h2> 
     682      <p id="rfc.section.3.2.p.1">This code is similar to 401 (Unauthorized), but indicates that the client ought to first authenticate itself with the proxy. 
     683         The proxy <em class="bcp14">MUST</em> return a Proxy-Authenticate header field (<a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.1" title="Proxy-Authenticate">Section&nbsp;4.2</a>) containing a challenge applicable to the proxy for the target resource. The client <em class="bcp14">MAY</em> repeat the request with a suitable Proxy-Authorization header field (<a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.1" title="Proxy-Authorization">Section&nbsp;4.3</a>). 
     684      </p> 
     685      <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a>&nbsp;<a id="header.fields" href="#header.fields">Header Field Definitions</a></h1> 
     686      <p id="rfc.section.4.p.1">This section defines the syntax and semantics of HTTP/1.1 header fields related to authentication.</p> 
     687      <div id="rfc.iref.a.3"></div> 
    630688      <div id="rfc.iref.h.1"></div> 
    631       <h2 id="rfc.section.3.1"><a href="#rfc.section.3.1">3.1</a>&nbsp;<a id="header.authorization" href="#header.authorization">Authorization</a></h2> 
    632       <p id="rfc.section.3.1.p.1">The "Authorization" request-header field allows a user agent to authenticate itself with a server -- usually, but not necessarily, 
     689      <h2 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1</a>&nbsp;<a id="header.authorization" href="#header.authorization">Authorization</a></h2> 
     690      <p id="rfc.section.4.1.p.1">The "Authorization" request-header field allows a user agent to authenticate itself with a server -- usually, but not necessarily, 
    633691         after receiving a 401 (Unauthorized) response. Its value consists of credentials containing information of the user agent 
    634692         for the realm of the resource being requested. 
    635693      </p> 
    636       <div id="rfc.figure.u.3"></div><pre class="inline"><span id="rfc.iref.g.3"></span><span id="rfc.iref.g.4"></span>  <a href="#header.authorization" class="smpl">Authorization</a>   = "Authorization" ":" <a href="#core.rules" class="smpl">OWS</a> <a href="#header.authorization" class="smpl">Authorization-v</a> 
    637   <a href="#header.authorization" class="smpl">Authorization-v</a> = <a href="#abnf.dependencies" class="smpl">credentials</a> 
    638 </pre><p id="rfc.section.3.1.p.3">HTTP access authentication is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.7"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, 
     694      <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.1"></span><span id="rfc.iref.g.2"></span>  <a href="#header.authorization" class="smpl">Authorization</a>   = "Authorization" ":" <a href="#core.rules" class="smpl">OWS</a> <a href="#header.authorization" class="smpl">Authorization-v</a> 
     695  <a href="#header.authorization" class="smpl">Authorization-v</a> = <a href="#access.authentication.framework" class="smpl">credentials</a> 
     696</pre><p id="rfc.section.4.1.p.3">If a request is authenticated and a realm specified, the same credentials <em class="bcp14">SHOULD</em> be valid for all other requests within this realm (assuming that the authentication scheme itself does not require otherwise, 
    639697         such as credentials that vary according to a challenge value or using synchronized clocks). 
    640698      </p> 
    641       <p id="rfc.section.3.1.p.4">When a shared cache (see <a href="p6-cache.html#shared.and.non-shared.caches">Section 1.2</a> of <a href="#Part6" id="rfc.xref.Part6.1"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>) receives a request containing an Authorization field, it <em class="bcp14">MUST NOT</em> return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: 
    642       </p> 
    643       <p id="rfc.section.3.1.p.5"> </p> 
     699      <p id="rfc.section.4.1.p.4">When a shared cache (see <a href="p6-cache.html#shared.and.non-shared.caches">Section 1.2</a> of <a href="#Part6" id="rfc.xref.Part6.1"><cite title="HTTP/1.1, part 6: Caching">[Part6]</cite></a>) receives a request containing an Authorization field, it <em class="bcp14">MUST NOT</em> return the corresponding response as a reply to any other request, unless one of the following specific exceptions holds: 
     700      </p> 
     701      <p id="rfc.section.4.1.p.5"> </p> 
    644702      <ol> 
    645703         <li>If the response includes the "s-maxage" cache-control directive, the cache <em class="bcp14">MAY</em> use that response in replying to a subsequent request. But (if the specified maximum age has passed) a proxy cache <em class="bcp14">MUST</em> first revalidate it with the origin server, using the request-header fields from the new request to allow the origin server 
     
    654712      <div id="rfc.iref.p.1"></div> 
    655713      <div id="rfc.iref.h.2"></div> 
    656       <h2 id="rfc.section.3.2"><a href="#rfc.section.3.2">3.2</a>&nbsp;<a id="header.proxy-authenticate" href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> 
    657       <p id="rfc.section.3.2.p.1">The "Proxy-Authenticate" response-header field consists of a challenge that indicates the authentication scheme and parameters 
    658          applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.4"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 
    659       </p> 
    660       <div id="rfc.figure.u.4"></div><pre class="inline"><span id="rfc.iref.g.5"></span><span id="rfc.iref.g.6"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a>   = "Proxy-Authenticate" ":" <a href="#core.rules" class="smpl">OWS</a> 
     714      <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a>&nbsp;<a id="header.proxy-authenticate" href="#header.proxy-authenticate">Proxy-Authenticate</a></h2> 
     715      <p id="rfc.section.4.2.p.1">The "Proxy-Authenticate" response-header field consists of a challenge that indicates the authentication scheme and parameters 
     716         applicable to the proxy for this effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.8"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included as part of a 407 (Proxy Authentication Required) response. 
     717      </p> 
     718      <div id="rfc.figure.u.7"></div><pre class="inline"><span id="rfc.iref.g.3"></span><span id="rfc.iref.g.4"></span>  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate</a>   = "Proxy-Authenticate" ":" <a href="#core.rules" class="smpl">OWS</a> 
    661719                         <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate-v</a> 
    662   <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate-v</a> = 1#<a href="#abnf.dependencies" class="smpl">challenge</a> 
    663 </pre><p id="rfc.section.3.2.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.8"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting 
     720  <a href="#header.proxy-authenticate" class="smpl">Proxy-Authenticate-v</a> = 1#<a href="#access.authentication.framework" class="smpl">challenge</a> 
     721</pre><p id="rfc.section.4.2.p.3">Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to the current connection and <em class="bcp14">SHOULD NOT</em> be passed on to downstream clients. However, an intermediate proxy might need to obtain its own credentials by requesting 
    664722         them from the downstream client, which in some circumstances will appear as if the proxy is forwarding the Proxy-Authenticate 
    665723         header field. 
     
    667725      <div id="rfc.iref.p.2"></div> 
    668726      <div id="rfc.iref.h.3"></div> 
    669       <h2 id="rfc.section.3.3"><a href="#rfc.section.3.3">3.3</a>&nbsp;<a id="header.proxy-authorization" href="#header.proxy-authorization">Proxy-Authorization</a></h2> 
    670       <p id="rfc.section.3.3.p.1">The "Proxy-Authorization" request-header field allows the client to identify itself (or its user) to a proxy which requires 
     727      <h2 id="rfc.section.4.3"><a href="#rfc.section.4.3">4.3</a>&nbsp;<a id="header.proxy-authorization" href="#header.proxy-authorization">Proxy-Authorization</a></h2> 
     728      <p id="rfc.section.4.3.p.1">The "Proxy-Authorization" request-header field allows the client to identify itself (or its user) to a proxy which requires 
    671729         authentication. Its value consists of credentials containing the authentication information of the user agent for the proxy 
    672730         and/or realm of the resource being requested. 
    673731      </p> 
    674       <div id="rfc.figure.u.5"></div><pre class="inline"><span id="rfc.iref.g.7"></span><span id="rfc.iref.g.8"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a>   = "Proxy-Authorization" ":" <a href="#core.rules" class="smpl">OWS</a> 
     732      <div id="rfc.figure.u.8"></div><pre class="inline"><span id="rfc.iref.g.5"></span><span id="rfc.iref.g.6"></span>  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization</a>   = "Proxy-Authorization" ":" <a href="#core.rules" class="smpl">OWS</a> 
    675733                          <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization-v</a> 
    676   <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization-v</a> = <a href="#abnf.dependencies" class="smpl">credentials</a> 
    677 </pre><p id="rfc.section.3.3.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.9"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication 
     734  <a href="#header.proxy-authorization" class="smpl">Proxy-Authorization-v</a> = <a href="#access.authentication.framework" class="smpl">credentials</a> 
     735</pre><p id="rfc.section.4.3.p.3">Unlike Authorization, the Proxy-Authorization header field applies only to the next outbound proxy that demanded authentication 
    678736         using the Proxy-Authenticate field. When multiple proxies are used in a chain, the Proxy-Authorization header field is consumed 
    679737         by the first outbound proxy that was expecting to receive credentials. A proxy <em class="bcp14">MAY</em> relay the credentials from the client request to the next proxy if that is the mechanism by which the proxies cooperatively 
     
    682740      <div id="rfc.iref.w.1"></div> 
    683741      <div id="rfc.iref.h.4"></div> 
    684       <h2 id="rfc.section.3.4"><a href="#rfc.section.3.4">3.4</a>&nbsp;<a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2> 
    685       <p id="rfc.section.3.4.p.1">The "WWW-Authenticate" response-header field consists of at least one challenge that indicates the authentication scheme(s) 
    686          and parameters applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.5"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. 
    687       </p> 
    688       <div id="rfc.figure.u.6"></div><pre class="inline"><span id="rfc.iref.g.9"></span><span id="rfc.iref.g.10"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>   = "WWW-Authenticate" ":" <a href="#core.rules" class="smpl">OWS</a> <a href="#header.www-authenticate" class="smpl">WWW-Authenticate-v</a> 
    689   <a href="#header.www-authenticate" class="smpl">WWW-Authenticate-v</a> = 1#<a href="#abnf.dependencies" class="smpl">challenge</a> 
    690 </pre><p id="rfc.section.3.4.p.3">The HTTP access authentication process is described in "HTTP Authentication: Basic and Digest Access Authentication" <a href="#RFC2617" id="rfc.xref.RFC2617.10"><cite title="HTTP Authentication: Basic and Digest Access Authentication">[RFC2617]</cite></a>. User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one 
     742      <h2 id="rfc.section.4.4"><a href="#rfc.section.4.4">4.4</a>&nbsp;<a id="header.www-authenticate" href="#header.www-authenticate">WWW-Authenticate</a></h2> 
     743      <p id="rfc.section.4.4.p.1">The "WWW-Authenticate" response-header field consists of at least one challenge that indicates the authentication scheme(s) 
     744         and parameters applicable to the effective request URI (<a href="p1-messaging.html#effective.request.uri" title="Effective Request URI">Section 4.3</a> of <a href="#Part1" id="rfc.xref.Part1.9"><cite title="HTTP/1.1, part 1: URIs, Connections, and Message Parsing">[Part1]</cite></a>). It <em class="bcp14">MUST</em> be included in 401 (Unauthorized) response messages. 
     745      </p> 
     746      <div id="rfc.figure.u.9"></div><pre class="inline"><span id="rfc.iref.g.7"></span><span id="rfc.iref.g.8"></span>  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate</a>   = "WWW-Authenticate" ":" <a href="#core.rules" class="smpl">OWS</a> <a href="#header.www-authenticate" class="smpl">WWW-Authenticate-v</a> 
     747  <a href="#header.www-authenticate" class="smpl">WWW-Authenticate-v</a> = 1#<a href="#access.authentication.framework" class="smpl">challenge</a> 
     748</pre><p id="rfc.section.4.4.p.3">User agents are advised to take special care in parsing the WWW-Authenticate field value as it might contain more than one 
    691749         challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a 
    692750         comma-separated list of authentication parameters. 
    693751      </p> 
    694       <h1 id="rfc.section.4"><a href="#rfc.section.4">4.</a>&nbsp;<a id="IANA.considerations" href="#IANA.considerations">IANA Considerations</a></h1> 
    695       <h2 id="rfc.section.4.1"><a href="#rfc.section.4.1">4.1</a>&nbsp;<a id="status.code.registration" href="#status.code.registration">Status Code Registration</a></h2> 
    696       <p id="rfc.section.4.1.p.1">The HTTP Status Code Registry located at &lt;<a href="http://www.iana.org/assignments/http-status-codes">http://www.iana.org/assignments/http-status-codes</a>&gt; shall be updated with the registrations below: 
     752      <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="IANA.considerations" href="#IANA.considerations">IANA Considerations</a></h1> 
     753      <h2 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1</a>&nbsp;<a id="status.code.registration" href="#status.code.registration">Status Code Registration</a></h2> 
     754      <p id="rfc.section.5.1.p.1">The HTTP Status Code Registry located at &lt;<a href="http://www.iana.org/assignments/http-status-codes">http://www.iana.org/assignments/http-status-codes</a>&gt; shall be updated with the registrations below: 
    697755      </p> 
    698756      <div id="rfc.table.1"> 
     
    710768                  <td class="left">401</td> 
    711769                  <td class="left">Unauthorized</td> 
    712                   <td class="left"> <a href="#status.401" id="rfc.xref.status.401.1" title="401 Unauthorized">Section&nbsp;2.1</a>  
     770                  <td class="left"> <a href="#status.401" id="rfc.xref.status.401.1" title="401 Unauthorized">Section&nbsp;3.1</a>  
    713771                  </td> 
    714772               </tr> 
     
    716774                  <td class="left">407</td> 
    717775                  <td class="left">Proxy Authentication Required</td> 
    718                   <td class="left"> <a href="#status.407" id="rfc.xref.status.407.1" title="407 Proxy Authentication Required">Section&nbsp;2.2</a>  
     776                  <td class="left"> <a href="#status.407" id="rfc.xref.status.407.1" title="407 Proxy Authentication Required">Section&nbsp;3.2</a>  
    719777                  </td> 
    720778               </tr> 
     
    722780         </table> 
    723781      </div> 
    724       <h2 id="rfc.section.4.2"><a href="#rfc.section.4.2">4.2</a>&nbsp;<a id="header.field.registration" href="#header.field.registration">Header Field Registration</a></h2> 
    725       <p id="rfc.section.4.2.p.1">The Message Header Field Registry located at &lt;<a href="http://www.iana.org/assignments/message-headers/message-header-index.html">http://www.iana.org/assignments/message-headers/message-header-index.html</a>&gt; shall be updated with the permanent registrations below (see <a href="#RFC3864" id="rfc.xref.RFC3864.1"><cite title="Registration Procedures for Message Header Fields">[RFC3864]</cite></a>): 
     782      <h2 id="rfc.section.5.2"><a href="#rfc.section.5.2">5.2</a>&nbsp;<a id="header.field.registration" href="#header.field.registration">Header Field Registration</a></h2> 
     783      <p id="rfc.section.5.2.p.1">The Message Header Field Registry located at &lt;<a href="http://www.iana.org/assignments/message-headers/message-header-index.html">http://www.iana.org/assignments/message-headers/message-header-index.html</a>&gt; shall be updated with the permanent registrations below (see <a href="#RFC3864" id="rfc.xref.RFC3864.1"><cite title="Registration Procedures for Message Header Fields">[RFC3864]</cite></a>): 
    726784      </p> 
    727785      <div id="rfc.table.2"> 
     
    741799                  <td class="left">http</td> 
    742800                  <td class="left">standard</td> 
    743                   <td class="left"> <a href="#header.authorization" id="rfc.xref.header.authorization.2" title="Authorization">Section&nbsp;3.1</a>  
     801                  <td class="left"> <a href="#header.authorization" id="rfc.xref.header.authorization.3" title="Authorization">Section&nbsp;4.1</a>  
    744802                  </td> 
    745803               </tr> 
     
    748806                  <td class="left">http</td> 
    749807                  <td class="left">standard</td> 
    750                   <td class="left"> <a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.2" title="Proxy-Authenticate">Section&nbsp;3.2</a>  
     808                  <td class="left"> <a href="#header.proxy-authenticate" id="rfc.xref.header.proxy-authenticate.2" title="Proxy-Authenticate">Section&nbsp;4.2</a>  
    751809                  </td> 
    752810               </tr> 
     
    755813                  <td class="left">http</td> 
    756814                  <td class="left">standard</td> 
    757                   <td class="left"> <a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.2" title="Proxy-Authorization">Section&nbsp;3.3</a>  
     815                  <td class="left"> <a href="#header.proxy-authorization" id="rfc.xref.header.proxy-authorization.2" title="Proxy-Authorization">Section&nbsp;4.3</a>  
    758816                  </td> 
    759817               </tr> 
     
    762820                  <td class="left">http</td> 
    763821                  <td class="left">standard</td> 
    764                   <td class="left"> <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section&nbsp;3.4</a>  
     822                  <td class="left"> <a href="#header.www-authenticate" id="rfc.xref.header.www-authenticate.2" title="WWW-Authenticate">Section&nbsp;4.4</a>  
    765823                  </td> 
    766824               </tr> 
     
    768826         </table> 
    769827      </div> 
    770       <p id="rfc.section.4.2.p.2">The change controller is: "IETF (iesg@ietf.org) - Internet Engineering Task Force".</p> 
    771       <h1 id="rfc.section.5"><a href="#rfc.section.5">5.</a>&nbsp;<a id="security.considerations" href="#security.considerations">Security Considerations</a></h1> 
    772       <p id="rfc.section.5.p.1">This section is meant to inform application developers, information providers, and users of the security limitations in HTTP/1.1 
     828      <p id="rfc.section.5.2.p.2">The change controller is: "IETF (iesg@ietf.org) - Internet Engineering Task Force".</p> 
     829      <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;<a id="security.considerations" href="#security.considerations">Security Considerations</a></h1> 
     830      <p id="rfc.section.6.p.1">This section is meant to inform application developers, information providers, and users of the security limitations in HTTP/1.1 
    773831         as described by this document. The discussion does not include definitive solutions to the problems revealed, though it does 
    774832         make some suggestions for reducing security risks. 
    775833      </p> 
    776       <h2 id="rfc.section.5.1"><a href="#rfc.section.5.1">5.1</a>&nbsp;<a id="auth.credentials.and.idle.clients" href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></h2> 
    777       <p id="rfc.section.5.1.p.1">Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide 
     834      <h2 id="rfc.section.6.1"><a href="#rfc.section.6.1">6.1</a>&nbsp;<a id="auth.credentials.and.idle.clients" href="#auth.credentials.and.idle.clients">Authentication Credentials and Idle Clients</a></h2> 
     835      <p id="rfc.section.6.1.p.1">Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide 
    778836         a method for a server to direct clients to discard these cached credentials. This is a significant defect that requires further 
    779837         extensions to HTTP. Circumstances under which credential caching can interfere with the application's security model include 
     
    788846         </li> 
    789847      </ul> 
    790       <p id="rfc.section.5.1.p.2">This is currently under separate study. There are a number of work-arounds to parts of this problem, and we encourage the 
     848      <p id="rfc.section.6.1.p.2">This is currently under separate study. There are a number of work-arounds to parts of this problem, and we encourage the 
    791849         use of password protection in screen savers, idle time-outs, and other methods which mitigate the security problems inherent 
    792850         in this problem. In particular, user agents which cache credentials are encouraged to provide a readily accessible mechanism 
    793851         for discarding cached credentials under user control. 
    794852      </p> 
    795       <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;<a id="ack" href="#ack">Acknowledgments</a></h1> 
    796       <p id="rfc.section.6.p.1"> <span class="comment" id="acks">[<a href="#acks" class="smpl">acks</a>: TBD.]</span>  
    797       </p> 
    798       <h1 id="rfc.references"><a id="rfc.section.7" href="#rfc.section.7">7.</a> References 
     853      <h1 id="rfc.section.7"><a href="#rfc.section.7">7.</a>&nbsp;<a id="ack" href="#ack">Acknowledgments</a></h1> 
     854      <p id="rfc.section.7.p.1">This specification takes over the definition of the HTTP Authentication Framework, previously defined in <cite title="Hypertext Transfer Protocol -- HTTP/1.1" id="rfc.xref.RFC2616.2">RFC 2617</cite>. We thank to John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, Paul J. Leach, Ari Luotonen, 
     855         and Lawrence C. Stewart for their work on that specification. 
     856      </p> 
     857      <p id="rfc.section.7.p.2"> <span class="comment" id="acks">[<a href="#acks" class="smpl">acks</a>: HTTPbis acknowledgements.]</span>  
     858      </p> 
     859      <h1 id="rfc.references"><a id="rfc.section.8" href="#rfc.section.8">8.</a> References 
    799860      </h1> 
    800       <h2 id="rfc.references.1"><a href="#rfc.section.7.1" id="rfc.section.7.1">7.1</a> Normative References 
     861      <h2 id="rfc.references.1"><a href="#rfc.section.8.1" id="rfc.section.8.1">8.1</a> Normative References 
    801862      </h2> 
    802       <table>           
     863      <table>         
    803864         <tr> 
    804865            <td class="reference"><b id="Part1">[Part1]</b></td> 
     
    817878         </tr> 
    818879         <tr> 
    819             <td class="reference"><b id="RFC2617">[RFC2617]</b></td> 
    820             <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999. 
    821             </td> 
    822          </tr> 
    823          <tr> 
    824880            <td class="reference"><b id="RFC5234">[RFC5234]</b></td> 
    825881            <td class="top"><a href="mailto:dcrocker@bbiw.net" title="Brandenburg InternetWorking">Crocker, D., Ed.</a> and <a href="mailto:paul.overell@thus.net" title="THUS plc.">P. Overell</a>, “<a href="http://tools.ietf.org/html/rfc5234">Augmented BNF for Syntax Specifications: ABNF</a>”, STD&nbsp;68, RFC&nbsp;5234, January&nbsp;2008. 
     
    827883         </tr> 
    828884      </table> 
    829       <h2 id="rfc.references.2"><a href="#rfc.section.7.2" id="rfc.section.7.2">7.2</a> Informative References 
     885      <h2 id="rfc.references.2"><a href="#rfc.section.8.2" id="rfc.section.8.2">8.2</a> Informative References 
    830886      </h2> 
    831       <table>     
     887      <table>       
    832888         <tr> 
    833889            <td class="reference"><b id="RFC2616">[RFC2616]</b></td> 
    834890            <td class="top"><a href="mailto:fielding@ics.uci.edu" title="University of California, Irvine">Fielding, R.</a>, <a href="mailto:jg@w3.org" title="W3C">Gettys, J.</a>, <a href="mailto:mogul@wrl.dec.com" title="Compaq Computer Corporation">Mogul, J.</a>, <a href="mailto:frystyk@w3.org" title="MIT Laboratory for Computer Science">Frystyk, H.</a>, <a href="mailto:masinter@parc.xerox.com" title="Xerox Corporation">Masinter, L.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, and <a href="mailto:timbl@w3.org" title="W3C">T. Berners-Lee</a>, “<a href="http://tools.ietf.org/html/rfc2616">Hypertext Transfer Protocol -- HTTP/1.1</a>”, RFC&nbsp;2616, June&nbsp;1999. 
     891            </td> 
     892         </tr> 
     893         <tr> 
     894            <td class="reference"><b id="RFC2617">[RFC2617]</b></td> 
     895            <td class="top"><a href="mailto:john@math.nwu.edu" title="Northwestern University, Department of Mathematics">Franks, J.</a>, <a href="mailto:pbaker@verisign.com" title="Verisign Inc.">Hallam-Baker, P.</a>, <a href="mailto:jeff@AbiSource.com" title="AbiSource, Inc.">Hostetler, J.</a>, <a href="mailto:lawrence@agranat.com" title="Agranat Systems, Inc.">Lawrence, S.</a>, <a href="mailto:paulle@microsoft.com" title="Microsoft Corporation">Leach, P.</a>, Luotonen, A., and <a href="mailto:stewart@OpenMarket.com" title="Open Market, Inc.">L. Stewart</a>, “<a href="http://tools.ietf.org/html/rfc2617">HTTP Authentication: Basic and Digest Access Authentication</a>”, RFC&nbsp;2617, June&nbsp;1999. 
    835896            </td> 
    836897         </tr> 
     
    860921      </div> 
    861922      <h1 id="rfc.section.A" class="np"><a href="#rfc.section.A">A.</a>&nbsp;<a id="collected.abnf" href="#collected.abnf">Collected ABNF</a></h1> 
    862       <div id="rfc.figure.u.7"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = "Authorization:" OWS Authorization-v 
     923      <div id="rfc.figure.u.10"></div> <pre class="inline"><a href="#header.authorization" class="smpl">Authorization</a> = "Authorization:" OWS Authorization-v 
    863924<a href="#header.authorization" class="smpl">Authorization-v</a> = credentials 
    864925 
     
    876937 challenge ] ) 
    877938 
    878 <a href="#abnf.dependencies" class="smpl">challenge</a> = &lt;challenge, defined in [RFC2617], Section 1.2&gt; 
    879 <a href="#abnf.dependencies" class="smpl">credentials</a> = &lt;credentials, defined in [RFC2617], Section 1.2&gt; 
    880 </pre> <div id="rfc.figure.u.8"></div> 
     939<a href="#access.authentication.framework" class="smpl">auth-param</a> = token "=" ( token / quoted-string ) 
     940<a href="#access.authentication.framework" class="smpl">auth-scheme</a> = token 
     941 
     942<a href="#access.authentication.framework" class="smpl">challenge</a> = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS 
     943 auth-param ] ) 
     944<a href="#access.authentication.framework" class="smpl">credentials</a> = auth-scheme ( token / quoted-string / [ ( "," / 
     945 auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 
     946 
     947<a href="#core.rules" class="smpl">quoted-string</a> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt; 
     948 
     949realm = "realm=" realm-value 
     950realm-value = quoted-string 
     951 
     952<a href="#core.rules" class="smpl">token</a> = &lt;token, defined in [Part1], Section 1.2.2&gt; 
     953</pre> <div id="rfc.figure.u.11"></div> 
    881954      <p>ABNF diagnostics:</p><pre class="inline">; Authorization defined but not used 
    882955; Proxy-Authenticate defined but not used 
    883956; Proxy-Authorization defined but not used 
    884957; WWW-Authenticate defined but not used 
     958; realm defined but not used 
    885959</pre><h1 id="rfc.section.B"><a href="#rfc.section.B">B.</a>&nbsp;<a id="change.log" href="#change.log">Change Log (to be removed by RFC Editor before publication)</a></h1> 
    886960      <h2 id="rfc.section.B.1"><a href="#rfc.section.B.1">B.1</a>&nbsp;Since RFC2616 
    887961      </h2> 
    888       <p id="rfc.section.B.1.p.1">Extracted relevant partitions from <a href="#RFC2616" id="rfc.xref.RFC2616.2"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a>. 
     962      <p id="rfc.section.B.1.p.1">Extracted relevant partitions from <a href="#RFC2616" id="rfc.xref.RFC2616.3"><cite title="Hypertext Transfer Protocol -- HTTP/1.1">[RFC2616]</cite></a>. 
    889963      </p> 
    890964      <h2 id="rfc.section.B.2"><a href="#rfc.section.B.2">B.2</a>&nbsp;Since draft-ietf-httpbis-p7-auth-00 
     
    9431017      <p id="rfc.section.B.12.p.1">None yet.</p> 
    9441018      <h2 id="rfc.section.B.13"><a href="#rfc.section.B.13">B.13</a>&nbsp;<a id="changes.since.11" href="#changes.since.11">Since draft-ietf-httpbis-p7-auth-11</a></h2> 
    945       <p id="rfc.section.B.13.p.1">None yet.</p> 
     1019      <p id="rfc.section.B.13.p.1">Closed issues: </p> 
     1020      <ul> 
     1021         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/195">http://tools.ietf.org/wg/httpbis/trac/ticket/195</a>&gt;: "auth-param syntax" 
     1022         </li> 
     1023         <li> &lt;<a href="http://tools.ietf.org/wg/httpbis/trac/ticket/237">http://tools.ietf.org/wg/httpbis/trac/ticket/237</a>&gt;: "absorbing the auth framework from 2617" 
     1024         </li> 
     1025      </ul> 
    9461026      <h1 id="rfc.index"><a href="#rfc.index">Index</a></h1> 
    947       <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a>  
     1027      <p class="noprint"><a href="#rfc.index.4">4</a> <a href="#rfc.index.A">A</a> <a href="#rfc.index.C">C</a> <a href="#rfc.index.G">G</a> <a href="#rfc.index.H">H</a> <a href="#rfc.index.P">P</a> <a href="#rfc.index.R">R</a> <a href="#rfc.index.S">S</a> <a href="#rfc.index.W">W</a>  
    9481028      </p> 
    9491029      <div class="print2col"> 
    9501030         <ul class="ind"> 
    9511031            <li class="indline0"><a id="rfc.index.4" href="#rfc.index.4"><b>4</b></a><ul class="ind"> 
    952                   <li class="indline1">401 Unauthorized (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.2"><b>2.1</b></a>, <a class="iref" href="#rfc.xref.status.401.1">4.1</a></li> 
    953                   <li class="indline1">407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.3"><b>2.2</b></a>, <a class="iref" href="#rfc.xref.status.407.1">4.1</a></li> 
     1032                  <li class="indline1">401 Unauthorized (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.6"><b>3.1</b></a>, <a class="iref" href="#rfc.xref.status.401.1">5.1</a></li> 
     1033                  <li class="indline1">407 Proxy Authentication Required (status code)&nbsp;&nbsp;<a class="iref" href="#rfc.iref.7"><b>3.2</b></a>, <a class="iref" href="#rfc.xref.status.407.1">5.1</a></li> 
    9541034               </ul> 
    9551035            </li> 
    9561036            <li class="indline0"><a id="rfc.index.A" href="#rfc.index.A"><b>A</b></a><ul class="ind"> 
    957                   <li class="indline1">Authorization header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.authorization.1">2.1</a>, <a class="iref" href="#rfc.iref.a.1"><b>3.1</b></a>, <a class="iref" href="#rfc.xref.header.authorization.2">4.2</a></li> 
     1037                  <li class="indline1"><tt>auth-param</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.a.2"><b>2</b></a></li> 
     1038                  <li class="indline1"><tt>auth-scheme</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.a.1"><b>2</b></a></li> 
     1039                  <li class="indline1">Authorization header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.authorization.1">2</a>, <a class="iref" href="#rfc.xref.header.authorization.2">3.1</a>, <a class="iref" href="#rfc.iref.a.3"><b>4.1</b></a>, <a class="iref" href="#rfc.xref.header.authorization.3">5.2</a></li> 
     1040               </ul> 
     1041            </li> 
     1042            <li class="indline0"><a id="rfc.index.C" href="#rfc.index.C"><b>C</b></a><ul class="ind"> 
     1043                  <li class="indline1"><tt>challenge</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.c.1"><b>2</b></a></li> 
     1044                  <li class="indline1"><tt>credentials</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.c.2"><b>2</b></a></li> 
    9581045               </ul> 
    9591046            </li> 
     
    9611048                  <li class="indline1"><tt>Grammar</tt>&nbsp;&nbsp; 
    9621049                     <ul class="ind"> 
    963                         <li class="indline1"><tt>Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.3"><b>3.1</b></a></li> 
    964                         <li class="indline1"><tt>Authorization-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.4"><b>3.1</b></a></li> 
    965                         <li class="indline1"><tt>challenge</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.1"><b>1.2.2</b></a></li> 
    966                         <li class="indline1"><tt>credentials</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.2"><b>1.2.2</b></a></li> 
    967                         <li class="indline1"><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.5"><b>3.2</b></a></li> 
    968                         <li class="indline1"><tt>Proxy-Authenticate-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.6"><b>3.2</b></a></li> 
    969                         <li class="indline1"><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.7"><b>3.3</b></a></li> 
    970                         <li class="indline1"><tt>Proxy-Authorization-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.8"><b>3.3</b></a></li> 
    971                         <li class="indline1"><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.9"><b>3.4</b></a></li> 
    972                         <li class="indline1"><tt>WWW-Authenticate-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.10"><b>3.4</b></a></li> 
     1050                        <li class="indline1"><tt>Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.1"><b>4.1</b></a></li> 
     1051                        <li class="indline1"><tt>Authorization-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.2"><b>4.1</b></a></li> 
     1052                        <li class="indline1"><tt>Proxy-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.3"><b>4.2</b></a></li> 
     1053                        <li class="indline1"><tt>Proxy-Authenticate-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.4"><b>4.2</b></a></li> 
     1054                        <li class="indline1"><tt>Proxy-Authorization</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.5"><b>4.3</b></a></li> 
     1055                        <li class="indline1"><tt>Proxy-Authorization-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.6"><b>4.3</b></a></li> 
     1056                        <li class="indline1"><tt>WWW-Authenticate</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.7"><b>4.4</b></a></li> 
     1057                        <li class="indline1"><tt>WWW-Authenticate-v</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.g.8"><b>4.4</b></a></li> 
    9731058                     </ul> 
    9741059                  </li> 
     
    9781063                  <li class="indline1">Headers&nbsp;&nbsp; 
    9791064                     <ul class="ind"> 
    980                         <li class="indline1">Authorization&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.authorization.1">2.1</a>, <a class="iref" href="#rfc.iref.h.1"><b>3.1</b></a>, <a class="iref" href="#rfc.xref.header.authorization.2">4.2</a></li> 
    981                         <li class="indline1">Proxy-Authenticate&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authenticate.1">2.2</a>, <a class="iref" href="#rfc.iref.h.2"><b>3.2</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authenticate.2">4.2</a></li> 
    982                         <li class="indline1">Proxy-Authorization&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authorization.1">2.2</a>, <a class="iref" href="#rfc.iref.h.3"><b>3.3</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authorization.2">4.2</a></li> 
    983                         <li class="indline1">WWW-Authenticate&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.www-authenticate.1">2.1</a>, <a class="iref" href="#rfc.iref.h.4"><b>3.4</b></a>, <a class="iref" href="#rfc.xref.header.www-authenticate.2">4.2</a></li> 
     1065                        <li class="indline1">Authorization&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.authorization.1">2</a>, <a class="iref" href="#rfc.xref.header.authorization.2">3.1</a>, <a class="iref" href="#rfc.iref.h.1"><b>4.1</b></a>, <a class="iref" href="#rfc.xref.header.authorization.3">5.2</a></li> 
     1066                        <li class="indline1">Proxy-Authenticate&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authenticate.1">3.2</a>, <a class="iref" href="#rfc.iref.h.2"><b>4.2</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authenticate.2">5.2</a></li> 
     1067                        <li class="indline1">Proxy-Authorization&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authorization.1">3.2</a>, <a class="iref" href="#rfc.iref.h.3"><b>4.3</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authorization.2">5.2</a></li> 
     1068                        <li class="indline1">WWW-Authenticate&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.www-authenticate.1">3.1</a>, <a class="iref" href="#rfc.iref.h.4"><b>4.4</b></a>, <a class="iref" href="#rfc.xref.header.www-authenticate.2">5.2</a></li> 
    9841069                     </ul> 
    9851070                  </li> 
     
    9871072            </li> 
    9881073            <li class="indline0"><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul class="ind"> 
    989                   <li class="indline1"><em>Part1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.1">1.2</a>, <a class="iref" href="#rfc.xref.Part1.2">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.3">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.4">3.2</a>, <a class="iref" href="#rfc.xref.Part1.5">3.4</a>, <a class="iref" href="#Part1"><b>7.1</b></a><ul class="ind"> 
     1074                  <li class="indline1"><em>Part1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.1">1.2</a>, <a class="iref" href="#rfc.xref.Part1.2">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.3">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.4">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.5">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.6">2</a>, <a class="iref" href="#rfc.xref.Part1.7">2</a>, <a class="iref" href="#rfc.xref.Part1.8">4.2</a>, <a class="iref" href="#rfc.xref.Part1.9">4.4</a>, <a class="iref" href="#Part1"><b>8.1</b></a><ul class="ind"> 
    9901075                        <li class="indline1"><em>Section 1.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.1">1.2</a></li> 
    991                         <li class="indline1"><em>Section 1.2.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.2">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.3">1.2.1</a></li> 
    992                         <li class="indline1"><em>Section 4.3</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.4">3.2</a>, <a class="iref" href="#rfc.xref.Part1.5">3.4</a></li> 
     1076                        <li class="indline1"><em>Section 1.2.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.2">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.3">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.4">1.2.1</a>, <a class="iref" href="#rfc.xref.Part1.5">1.2.1</a></li> 
     1077                        <li class="indline1"><em>Section 4.3</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.6">2</a>, <a class="iref" href="#rfc.xref.Part1.8">4.2</a>, <a class="iref" href="#rfc.xref.Part1.9">4.4</a></li> 
     1078                        <li class="indline1"><em>Section 7.1.3.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part1.7">2</a></li> 
    9931079                     </ul> 
    9941080                  </li> 
    995                   <li class="indline1"><em>Part6</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part6.1">3.1</a>, <a class="iref" href="#Part6"><b>7.1</b></a><ul class="ind"> 
    996                         <li class="indline1"><em>Section 1.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part6.1">3.1</a></li> 
     1081                  <li class="indline1"><em>Part6</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part6.1">4.1</a>, <a class="iref" href="#Part6"><b>8.1</b></a><ul class="ind"> 
     1082                        <li class="indline1"><em>Section 1.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.Part6.1">4.1</a></li> 
    9971083                     </ul> 
    9981084                  </li> 
    999                   <li class="indline1">Proxy-Authenticate header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authenticate.1">2.2</a>, <a class="iref" href="#rfc.iref.p.1"><b>3.2</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authenticate.2">4.2</a></li> 
    1000                   <li class="indline1">Proxy-Authorization header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authorization.1">2.2</a>, <a class="iref" href="#rfc.iref.p.2"><b>3.3</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authorization.2">4.2</a></li> 
     1085                  <li class="indline1">Proxy-Authenticate header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authenticate.1">3.2</a>, <a class="iref" href="#rfc.iref.p.1"><b>4.2</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authenticate.2">5.2</a></li> 
     1086                  <li class="indline1">Proxy-Authorization header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.proxy-authorization.1">3.2</a>, <a class="iref" href="#rfc.iref.p.2"><b>4.3</b></a>, <a class="iref" href="#rfc.xref.header.proxy-authorization.2">5.2</a></li> 
    10011087               </ul> 
    10021088            </li> 
    10031089            <li class="indline0"><a id="rfc.index.R" href="#rfc.index.R"><b>R</b></a><ul class="ind"> 
    1004                   <li class="indline1"><em>RFC2119</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2119.1">1.1</a>, <a class="iref" href="#RFC2119"><b>7.1</b></a></li> 
    1005                   <li class="indline1"><em>RFC2616</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2616.1">1</a>, <a class="iref" href="#RFC2616"><b>7.2</b></a>, <a class="iref" href="#rfc.xref.RFC2616.2">B.1</a></li> 
    1006                   <li class="indline1"><em>RFC2617</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#rfc.xref.RFC2617.3">1.2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1.2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.5">2.1</a>, <a class="iref" href="#rfc.xref.RFC2617.6">2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.7">3.1</a>, <a class="iref" href="#rfc.xref.RFC2617.8">3.2</a>, <a class="iref" href="#rfc.xref.RFC2617.9">3.3</a>, <a class="iref" href="#rfc.xref.RFC2617.10">3.4</a>, <a class="iref" href="#RFC2617"><b>7.1</b></a><ul class="ind"> 
    1007                         <li class="indline1"><em>Section 1.2</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.3">1.2.2</a>, <a class="iref" href="#rfc.xref.RFC2617.4">1.2.2</a></li> 
    1008                      </ul> 
    1009                   </li> 
    1010                   <li class="indline1"><em>RFC3864</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC3864.1">4.2</a>, <a class="iref" href="#RFC3864"><b>7.2</b></a></li> 
    1011                   <li class="indline1"><em>RFC5234</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC5234.1">1.2</a>, <a class="iref" href="#rfc.xref.RFC5234.2">1.2</a>, <a class="iref" href="#RFC5234"><b>7.1</b></a><ul class="ind"> 
     1090                  <li class="indline1"><tt>realm</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.r.1"><b>2</b></a></li> 
     1091                  <li class="indline1"><tt>realm-value</tt>&nbsp;&nbsp;<a class="iref" href="#rfc.iref.r.2"><b>2</b></a></li> 
     1092                  <li class="indline1"><em>RFC2119</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2119.1">1.1</a>, <a class="iref" href="#RFC2119"><b>8.1</b></a></li> 
     1093                  <li class="indline1"><em>RFC2616</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2616.1">1</a>, <a class="iref" href="#rfc.xref.RFC2616.2">7</a>, <a class="iref" href="#RFC2616"><b>8.2</b></a>, <a class="iref" href="#rfc.xref.RFC2616.3">B.1</a></li> 
     1094                  <li class="indline1"><em>RFC2617</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC2617.1">1</a>, <a class="iref" href="#rfc.xref.RFC2617.2">1</a>, <a class="iref" href="#RFC2617"><b>8.2</b></a></li> 
     1095                  <li class="indline1"><em>RFC3864</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC3864.1">5.2</a>, <a class="iref" href="#RFC3864"><b>8.2</b></a></li> 
     1096                  <li class="indline1"><em>RFC5234</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC5234.1">1.2</a>, <a class="iref" href="#rfc.xref.RFC5234.2">1.2</a>, <a class="iref" href="#RFC5234"><b>8.1</b></a><ul class="ind"> 
    10121097                        <li class="indline1"><em>Appendix B.1</em>&nbsp;&nbsp;<a class="iref" href="#rfc.xref.RFC5234.2">1.2</a></li> 
    10131098                     </ul> 
     
    10181103                  <li class="indline1">Status Codes&nbsp;&nbsp; 
    10191104                     <ul class="ind"> 
    1020                         <li class="indline1">401 Unauthorized&nbsp;&nbsp;<a class="iref" href="#rfc.iref.s.1"><b>2.1</b></a>, <a class="iref" href="#rfc.xref.status.401.1">4.1</a></li> 
    1021                         <li class="indline1">407 Proxy Authentication Required&nbsp;&nbsp;<a class="iref" href="#rfc.iref.s.2"><b>2.2</b></a>, <a class="iref" href="#rfc.xref.status.407.1">4.1</a></li> 
     1105                        <li class="indline1">401 Unauthorized&nbsp;&nbsp;<a class="iref" href="#rfc.iref.s.1"><b>3.1</b></a>, <a class="iref" href="#rfc.xref.status.401.1">5.1</a></li> 
     1106                        <li class="indline1">407 Proxy Authentication Required&nbsp;&nbsp;<a class="iref" href="#rfc.iref.s.2"><b>3.2</b></a>, <a class="iref" href="#rfc.xref.status.407.1">5.1</a></li> 
    10221107                     </ul> 
    10231108                  </li> 
     
    10251110            </li> 
    10261111            <li class="indline0"><a id="rfc.index.W" href="#rfc.index.W"><b>W</b></a><ul class="ind"> 
    1027                   <li class="indline1">WWW-Authenticate header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.www-authenticate.1">2.1</a>, <a class="iref" href="#rfc.iref.w.1"><b>3.4</b></a>, <a class="iref" href="#rfc.xref.header.www-authenticate.2">4.2</a></li> 
     1112                  <li class="indline1">WWW-Authenticate header&nbsp;&nbsp;<a class="iref" href="#rfc.xref.header.www-authenticate.1">3.1</a>, <a class="iref" href="#rfc.iref.w.1"><b>4.4</b></a>, <a class="iref" href="#rfc.xref.header.www-authenticate.2">5.2</a></li> 
    10281113               </ul> 
    10291114            </li> 
  • draft-ietf-httpbis/latest/p7-auth.xml

    r994 r998  
    1919  <!ENTITY basic-rules                  "<xref target='Part1' x:rel='#basic.rules' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2020  <!ENTITY effective-request-uri        "<xref target='Part1' x:rel='#effective.request.uri' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
     21  <!ENTITY end-to-end.and-hop-by-hop    "<xref target='Part1' x:rel='#end-to-end.and.hop-by-hop.header-fields' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2122  <!ENTITY shared-and-non-shared-caches "<xref target='Part6' x:rel='#shared.and.non-shared.caches' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 
    2223]> 
     
    207208<section title="Introduction" anchor="introduction"> 
    208209<t> 
    209    This document defines HTTP/1.1 access control and authentication. Right now it 
    210    includes the extracted relevant sections of 
    211    <xref target="RFC2616" x:fmt="none">RFC 2616</xref> with only minor changes. 
    212    The intention is to move the general framework for HTTP authentication here, 
    213    as currently specified in <xref target="RFC2617"/>, and allow the individual 
    214    authentication mechanisms to be defined elsewhere.  This introduction will 
    215    be rewritten when that occurs.  
     210   This document defines HTTP/1.1 access control and authentication. It 
     211   includes the relevant parts of <xref target="RFC2616" x:fmt="none">RFC 2616</xref> 
     212   with only minor changes, plus the general framework for HTTP authentication, 
     213   as previously defined in "HTTP Authentication: Basic and Digest Access 
     214   Authentication" (<xref target="RFC2617"/>). 
    216215</t> 
    217216<t> 
    218217   HTTP provides several &OPTIONAL; challenge-response authentication 
    219    mechanisms which can be used by a server to challenge a client 
    220    request and by a client to provide authentication information. The 
    221    general framework for access authentication, and the specification of 
    222    "basic" and "digest" authentication, are specified in "HTTP 
    223    Authentication: Basic and Digest Access Authentication" <xref target="RFC2617"/>. This 
    224    specification adopts the definitions of "challenge" and "credentials" 
    225    from that specification. 
     218   mechanisms which can be used by a server to challenge a client request and 
     219   by a client to provide authentication information. The "basic" and "digest" 
     220   authentication schemes continue to be specified in 
     221   <xref target="RFC2617" x:fmt="none">RFC 2617</xref>. 
    226222</t> 
    227223 
     
    250246  <x:anchor-alias value="OCTET"/> 
    251247  <x:anchor-alias value="VCHAR"/> 
     248  <x:anchor-alias value="SP"/> 
    252249  <x:anchor-alias value="WSP"/> 
    253250<t> 
     
    269266 
    270267<section title="Core Rules" anchor="core.rules"> 
    271   <x:anchor-alias value="OWS"/> 
    272 <t> 
    273   The core rules below are defined in &basic-rules;: 
     268   <x:anchor-alias value="quoted-string"/> 
     269   <x:anchor-alias value="token"/> 
     270   <x:anchor-alias value="OWS"/> 
     271<t> 
     272   The core rules below are defined in &basic-rules;: 
    274273</t> 
    275274<figure><artwork type="abnf2616"> 
    276   <x:ref>OWS</x:ref>         = &lt;OWS, defined in &basic-rules;&gt; 
     275  <x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in &basic-rules;&gt; 
     276  <x:ref>token</x:ref>         = &lt;token, defined in &basic-rules;&gt; 
     277  <x:ref>OWS</x:ref>           = &lt;OWS, defined in &basic-rules;&gt; 
    277278</artwork></figure> 
    278279</section> 
    279  
    280 <section title="ABNF Rules defined in other Parts of the Specification" anchor="abnf.dependencies"> 
     280</section> 
     281</section> 
     282 
     283<section title="Access Authentication Framework" anchor="access.authentication.framework"> 
     284  <x:anchor-alias value="auth-scheme"/> 
     285  <x:anchor-alias value="auth-param"/> 
    281286  <x:anchor-alias value="challenge"/> 
    282287  <x:anchor-alias value="credentials"/> 
    283288<t> 
    284   <x:anchor-alias value="OWS"/> 
    285   The ABNF rules below are defined in other specifications:  
    286 </t> 
    287 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="challenge"/><iref primary="true" item="Grammar" subitem="credentials"/> 
    288   <x:ref>challenge</x:ref>   = &lt;challenge, defined in <xref target="RFC2617" x:fmt="," x:sec="1.2"/>&gt; 
    289   <x:ref>credentials</x:ref> = &lt;credentials, defined in <xref target="RFC2617" x:fmt="," x:sec="1.2"/>&gt; 
     289   HTTP provides a simple challenge-response authentication mechanism 
     290   that can be used by a server to challenge a client request and by a 
     291   client to provide authentication information. It uses an extensible, 
     292   case-insensitive token to identify the authentication scheme, 
     293   followed by a comma-separated list of attribute-value pairs which 
     294   carry the parameters necessary for achieving authentication via that 
     295   scheme. 
     296</t> 
     297<figure><artwork type="abnf2616"><iref item="auth-scheme" primary="true"/><iref item="auth-param" primary="true"/> 
     298  auth-scheme    = token 
     299  auth-param     = token "=" ( token / quoted-string ) 
    290300</artwork></figure> 
    291 </section> 
    292  
    293 </section> 
    294  
    295 </section> 
    296  
     301<t> 
     302   The 401 (Unauthorized) response message is used by an origin server 
     303   to challenge the authorization of a user agent. This response &MUST; 
     304   include a WWW-Authenticate header field containing at least one 
     305   challenge applicable to the requested resource. The 407 (Proxy 
     306   Authentication Required) response message is used by a proxy to 
     307   challenge the authorization of a client and &MUST; include a Proxy-Authenticate 
     308   header field containing at least one challenge 
     309   applicable to the proxy for the requested resource. 
     310</t> 
     311<figure><artwork type="abnf2616"><iref item="challenge" primary="true"/> 
     312  <x:ref>challenge</x:ref>   = <x:ref>auth-scheme</x:ref> 1*<x:ref>SP</x:ref> 1#<x:ref>auth-param</x:ref> 
     313</artwork></figure> 
     314<x:note> 
     315  <t> 
     316   <x:h>Note:</x:h> User agents will need to take special care in parsing the WWW-Authenticate 
     317   or Proxy-Authenticate header field value if it contains 
     318   more than one challenge, or if more than one WWW-Authenticate header 
     319   field is provided, since the contents of a challenge can itself 
     320   contain a comma-separated list of authentication parameters. 
     321  </t> 
     322</x:note> 
     323<t> 
     324   The authentication parameter realm is defined for all authentication 
     325   schemes: 
     326</t> 
     327<figure><artwork type="abnf2616"><iref item="realm" primary="true"/><iref item="realm-value" primary="true"/> 
     328  realm       = "realm" "=" realm-value 
     329  realm-value = quoted-string 
     330</artwork></figure> 
     331<t> 
     332   The realm directive (case-insensitive) is required for all 
     333   authentication schemes that issue a challenge. The realm value 
     334   (case-sensitive), in combination with the canonical root URL ( 
     335   the scheme and authority components of the effective request URI; see <xref target="Part1" x:fmt="of" x:rel="#effective.request.uri"/>) of the server being accessed, defines the protection space. 
     336   These realms allow the protected resources on a server to be 
     337   partitioned into a set of protection spaces, each with its own 
     338   authentication scheme and/or authorization database. The realm value 
     339   is a string, generally assigned by the origin server, which can have 
     340   additional semantics specific to the authentication scheme. Note that 
     341   there can be multiple challenges with the same auth-scheme but 
     342   different realms. 
     343</t> 
     344<t> 
     345   A user agent that wishes to authenticate itself with an origin 
     346   server -- usually, but not necessarily, after receiving a 401 
     347   (Unauthorized) -- &MAY; do so by including an Authorization header field 
     348   with the request. A client that wishes to authenticate itself with a 
     349   proxy -- usually, but not necessarily, after receiving a 407 (Proxy 
     350   Authentication Required) -- &MAY; do so by including a Proxy-Authorization 
     351   header field with the request.  Both the Authorization 
     352   field value and the Proxy-Authorization field value consist of 
     353   credentials containing the authentication information of the client 
     354   for the realm of the resource being requested. The user agent &MUST; 
     355   choose to use one of the challenges with the strongest auth-scheme it 
     356   understands and request credentials from the user based upon that 
     357   challenge. 
     358</t> 
     359<figure><artwork type="abnf2616"><iref item="credentials" primary="true"/> 
     360  <x:ref>credentials</x:ref> = <x:ref>auth-scheme</x:ref> ( <x:ref>token</x:ref> 
     361                            / <x:ref>quoted-string</x:ref> 
     362                            / #<x:ref>auth-param</x:ref> ) 
     363</artwork></figure> 
     364<x:note> 
     365  <t> 
     366      <x:h>Note:</x:h> many browsers will only recognize Basic and will require 
     367      that it be the first auth-scheme presented. Servers should only 
     368      include Basic if it is minimally acceptable.<cref>Either rephrase and add reference or drop.</cref> 
     369  </t> 
     370</x:note> 
     371<t> 
     372   The protection space determines the domain over which credentials can 
     373   be automatically applied. If a prior request has been authorized, the 
     374   same credentials &MAY; be reused for all other requests within that 
     375   protection space for a period of time determined by the 
     376   authentication scheme, parameters, and/or user preference. Unless 
     377   otherwise defined by the authentication scheme, a single protection 
     378   space cannot extend outside the scope of its server. 
     379</t> 
     380<t> 
     381   If the origin server does not wish to accept the credentials sent 
     382   with a request, it &SHOULD; return a 401 (Unauthorized) response. The 
     383   response &MUST; include a WWW-Authenticate header field containing at 
     384   least one (possibly new) challenge applicable to the requested 
     385   resource. If a proxy does not accept the credentials sent with a 
     386   request, it &SHOULD; return a 407 (Proxy Authentication Required). The 
     387   response &MUST; include a Proxy-Authenticate header field containing a 
     388   (possibly new) challenge applicable to the proxy for the requested 
     389   resource. 
     390</t> 
     391<t> 
     392   The HTTP protocol does not restrict applications to this simple 
     393   challenge-response mechanism for access authentication. Additional 
     394   mechanisms &MAY; be used, such as encryption at the transport level or 
     395   via message encapsulation, and with additional header fields 
     396   specifying authentication information. However, these additional 
     397   mechanisms are not defined by this specification. 
     398</t> 
     399<t> 
     400   Proxies &MUST; be completely transparent regarding user agent 
     401   authentication by origin servers. That is, they &MUST; forward the 
     402   WWW-Authenticate and Authorization headers untouched, and follow the 
     403   rules found in <xref target="header.authorization"/>. Both the Proxy-Authenticate and 
     404   the Proxy-Authorization header fields are hop-by-hop headers (see 
     405   &end-to-end.and-hop-by-hop;). 
     406</t> 
     407</section> 
    297408 
    298409<section title="Status Code Definitions" anchor="status.code.definitions"> 
     
    311422   authentication at least once, then the user &SHOULD; be presented the 
    312423   representation that was given in the response, since that representation might 
    313    include relevant diagnostic information. HTTP access authentication 
    314    is explained in "HTTP Authentication: Basic and Digest Access 
    315    Authentication" <xref target="RFC2617"/>. 
     424   include relevant diagnostic information. 
    316425</t> 
    317426</section> 
     
    321430<t> 
    322431   This code is similar to 401 (Unauthorized), but indicates that the 
    323    client must first authenticate itself with the proxy. The proxy &MUST; 
     432   client ought to first authenticate itself with the proxy. The proxy &MUST; 
    324433   return a Proxy-Authenticate header field (<xref target="header.proxy-authenticate"/>) containing a 
    325434   challenge applicable to the proxy for the target resource. The 
    326435   client &MAY; repeat the request with a suitable Proxy-Authorization 
    327    header field (<xref target="header.proxy-authorization"/>). HTTP access authentication is explained 
    328    in "HTTP Authentication: Basic and Digest Access Authentication" 
    329    <xref target="RFC2617"/>. 
     436   header field (<xref target="header.proxy-authorization"/>). 
    330437</t> 
    331438</section> 
     
    355462</artwork></figure> 
    356463<t> 
    357    HTTP access authentication is described in "HTTP Authentication: 
    358    Basic and Digest Access Authentication" <xref target="RFC2617"/>. If a request is 
     464   If a request is 
    359465   authenticated and a realm specified, the same credentials &SHOULD; 
    360466   be valid for all other requests within this realm (assuming that 
     
    411517</artwork></figure> 
    412518<t> 
    413    The HTTP access authentication process is described in "HTTP 
    414    Authentication: Basic and Digest Access Authentication" <xref target="RFC2617"/>. Unlike 
    415    WWW-Authenticate, the Proxy-Authenticate header field applies only to 
     519   Unlike WWW-Authenticate, the Proxy-Authenticate header field applies only to 
    416520   the current connection and &SHOULD-NOT;  be passed on to downstream 
    417521   clients. However, an intermediate proxy might need to obtain its own 
     
    440544</artwork></figure> 
    441545<t> 
    442    The HTTP access authentication process is described in "HTTP 
    443    Authentication: Basic and Digest Access Authentication" <xref target="RFC2617"/>. Unlike 
    444    Authorization, the Proxy-Authorization header field applies only to 
     546   Unlike Authorization, the Proxy-Authorization header field applies only to 
    445547   the next outbound proxy that demanded authentication using the Proxy-Authenticate 
    446548   field. When multiple proxies are used in a chain, the 
     
    469571</artwork></figure> 
    470572<t> 
    471    The HTTP access authentication process is described in "HTTP 
    472    Authentication: Basic and Digest Access Authentication" <xref target="RFC2617"/>. User 
    473    agents are advised to take special care in parsing the WWW-Authenticate 
     573   User agents are advised to take special care in parsing the WWW-Authenticate 
    474574   field value as it might contain more than one challenge, 
    475575   or if more than one WWW-Authenticate header field is provided, the 
     
    597697<section title="Acknowledgments" anchor="ack"> 
    598698<t> 
    599   <cref anchor="acks">TBD.</cref> 
     699  This specification takes over the definition of the HTTP Authentication 
     700  Framework, previously defined in <xref target="RFC2616" x:fmt="none">RFC 2617</xref>. We thank to John Franks, 
     701  Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott D. Lawrence, 
     702  Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart for their work 
     703  on that specification. 
     704</t> 
     705<t> 
     706  <cref anchor="acks">HTTPbis acknowledgements.</cref> 
    600707</t> 
    601708</section> 
     
    710817  <seriesInfo name="BCP" value="14"/> 
    711818  <seriesInfo name="RFC" value="2119"/> 
    712 </reference> 
    713  
    714 <reference anchor="RFC2617"> 
    715   <front> 
    716     <title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title> 
    717     <author initials="J." surname="Franks" fullname="John Franks"> 
    718       <organization>Northwestern University, Department of Mathematics</organization> 
    719       <address><email>john@math.nwu.edu</email></address> 
    720     </author> 
    721     <author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker"> 
    722       <organization>Verisign Inc.</organization> 
    723       <address><email>pbaker@verisign.com</email></address> 
    724     </author> 
    725     <author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler"> 
    726       <organization>AbiSource, Inc.</organization> 
    727       <address><email>jeff@AbiSource.com</email></address> 
    728     </author> 
    729     <author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence"> 
    730       <organization>Agranat Systems, Inc.</organization> 
    731       <address><email>lawrence@agranat.com</email></address> 
    732     </author> 
    733     <author initials="P.J." surname="Leach" fullname="Paul J. Leach"> 
    734       <organization>Microsoft Corporation</organization> 
    735       <address><email>paulle@microsoft.com</email></address> 
    736     </author> 
    737     <author initials="A." surname="Luotonen" fullname="Ari Luotonen"> 
    738       <organization>Netscape Communications Corporation</organization> 
    739     </author> 
    740     <author initials="L." surname="Stewart" fullname="Lawrence C. Stewart"> 
    741       <organization>Open Market, Inc.</organization> 
    742       <address><email>stewart@OpenMarket.com</email></address> 
    743     </author> 
    744     <date month="June" year="1999"/> 
    745   </front> 
    746   <seriesInfo name="RFC" value="2617"/> 
    747819</reference> 
    748820 
     
    808880</reference> 
    809881 
     882<reference anchor="RFC2617"> 
     883  <front> 
     884    <title abbrev="HTTP Authentication">HTTP Authentication: Basic and Digest Access Authentication</title> 
     885    <author initials="J." surname="Franks" fullname="John Franks"> 
     886      <organization>Northwestern University, Department of Mathematics</organization> 
     887      <address><email>john@math.nwu.edu</email></address> 
     888    </author> 
     889    <author initials="P.M." surname="Hallam-Baker" fullname="Phillip M. Hallam-Baker"> 
     890      <organization>Verisign Inc.</organization> 
     891      <address><email>pbaker@verisign.com</email></address> 
     892    </author> 
     893    <author initials="J.L." surname="Hostetler" fullname="Jeffery L. Hostetler"> 
     894      <organization>AbiSource, Inc.</organization> 
     895      <address><email>jeff@AbiSource.com</email></address> 
     896    </author> 
     897    <author initials="S.D." surname="Lawrence" fullname="Scott D. Lawrence"> 
     898      <organization>Agranat Systems, Inc.</organization> 
     899      <address><email>lawrence@agranat.com</email></address> 
     900    </author> 
     901    <author initials="P.J." surname="Leach" fullname="Paul J. Leach"> 
     902      <organization>Microsoft Corporation</organization> 
     903      <address><email>paulle@microsoft.com</email></address> 
     904    </author> 
     905    <author initials="A." surname="Luotonen" fullname="Ari Luotonen"> 
     906      <organization>Netscape Communications Corporation</organization> 
     907    </author> 
     908    <author initials="L." surname="Stewart" fullname="Lawrence C. Stewart"> 
     909      <organization>Open Market, Inc.</organization> 
     910      <address><email>stewart@OpenMarket.com</email></address> 
     911    </author> 
     912    <date month="June" year="1999"/> 
     913  </front> 
     914  <seriesInfo name="RFC" value="2617"/> 
     915</reference> 
     916 
    810917<reference anchor='RFC3864'> 
    811918  <front> 
     
    856963 challenge ] ) 
    857964 
    858 <x:ref>challenge</x:ref> = &lt;challenge, defined in [RFC2617], Section 1.2&gt; 
    859 <x:ref>credentials</x:ref> = &lt;credentials, defined in [RFC2617], Section 1.2&gt; 
     965<x:ref>auth-param</x:ref> = token "=" ( token / quoted-string ) 
     966<x:ref>auth-scheme</x:ref> = token 
     967 
     968<x:ref>challenge</x:ref> = auth-scheme 1*SP *( "," OWS ) auth-param *( OWS "," [ OWS 
     969 auth-param ] ) 
     970<x:ref>credentials</x:ref> = auth-scheme ( token / quoted-string / [ ( "," / 
     971 auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) 
     972 
     973<x:ref>quoted-string</x:ref> = &lt;quoted-string, defined in [Part1], Section 1.2.2&gt; 
     974 
     975realm = "realm=" realm-value 
     976realm-value = quoted-string 
     977 
     978<x:ref>token</x:ref> = &lt;token, defined in [Part1], Section 1.2.2&gt; 
    860979</artwork> 
    861980</figure> 
     
    865984; Proxy-Authorization defined but not used 
    866985; WWW-Authenticate defined but not used 
     986; realm defined but not used 
    867987</artwork></figure></section> 
    868988<?ENDINC p7-auth.abnf-appendix ?> 
     
    9931113<section title="Since draft-ietf-httpbis-p7-auth-11" anchor="changes.since.11"> 
    9941114<t> 
    995   None yet. 
     1115  Closed issues: 
     1116  <list style="symbols">  
     1117    <t> 
     1118      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/195"/>: 
     1119      "auth-param syntax" 
     1120    </t> 
     1121    <t> 
     1122      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/237"/>: 
     1123      "absorbing the auth framework from 2617" 
     1124    </t> 
     1125  </list> 
    9961126</t> 
    9971127</section> 
Note: See TracChangeset for help on using the changeset viewer.