a question about WWW-Authenticate header

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

a question about WWW-Authenticate header

Manlio Perillo-4

Hi.

What is the "correct" behaviour for an HTTP user agent, when it process
a WWW-Authenticate header containing unsupported challenge?


I have found that Internet Explorer, Firefox, Konqueror, Epiphany,
ignore the header.

Opera, however, reports an error:

Error!
The server requested a login authentication method that is not supported.


Is this an acceptable behaviour?
RFC 2616 says nothing, here.



Thanks   Manlio Perillo


Reply | Threaded
Open this post in threaded view
|

Re: a question about WWW-Authenticate header

Julian Reschke

Manlio Perillo wrote:
> Hi.
>
> What is the "correct" behaviour for an HTTP user agent, when it process
> a WWW-Authenticate header containing unsupported challenge?

It depends.

Was the challenge the only challenge being returned? Was there a
response body that the UA could have displayed?

 > ...

BR, Julian

Reply | Threaded
Open this post in threaded view
|

Re: a question about WWW-Authenticate header

Manlio Perillo-4

Julian Reschke ha scritto:
> Manlio Perillo wrote:
>> Hi.
>>
>> What is the "correct" behaviour for an HTTP user agent, when it
>> process a WWW-Authenticate header containing unsupported challenge?
>
> It depends.
>
> Was the challenge the only challenge being returned?

Yes.


> Was there a
> response body that the UA could have displayed?
>

Yes, a text/plain response body, that Opera *does not* display.


>  > ...
>
> BR, Julian
>


Thanks  Manlio Perillo

Reply | Threaded
Open this post in threaded view
|

Re: a question about WWW-Authenticate header

Julian Reschke

Manlio Perillo wrote:

> Julian Reschke ha scritto:
>> Manlio Perillo wrote:
>>> Hi.
>>>
>>> What is the "correct" behaviour for an HTTP user agent, when it
>>> process a WWW-Authenticate header containing unsupported challenge?
>>
>> It depends.
>>
>> Was the challenge the only challenge being returned?
>
> Yes.
>
>
>> Was there a response body that the UA could have displayed?
>>
>
> Yes, a text/plain response body, that Opera *does not* display.

I think Opera should display it, although I agree there's no clear
language in RFC2616/2617 requiring it to do so.

Out of curiosity, does the situation change when the response uses
text/html?

 > ...

BR, Julian

Reply | Threaded
Open this post in threaded view
|

Re: a question about WWW-Authenticate header

Manlio Perillo-4

Julian Reschke ha scritto:

> Manlio Perillo wrote:
>> Julian Reschke ha scritto:
>>> Manlio Perillo wrote:
>>>> Hi.
>>>>
>>>> What is the "correct" behaviour for an HTTP user agent, when it
>>>> process a WWW-Authenticate header containing unsupported challenge?
>>>
> [...]
>
> I think Opera should display it, although I agree there's no clear
> language in RFC2616/2617 requiring it to do so.
>
> Out of curiosity, does the situation change when the response uses
> text/html?
>

It's the same, Opera does not display it.


Right now, I'm returning a 401 Unauthorized response, *without* the
WWW-Authenticate header (in violation of the HTTP 1.1 specification),
and all browsers display the response body.


>  > ...
>
> BR, Julian
>


Manlio Perillo