Re: Proxy Auth???

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dave Kristol: "Re: Digest Authentication Challenge Ordering"
• Previous message: Dave Kristol: "Re: ISSUE: Protection space"
• Maybe in reply to: Paul Leach: "Proxy Auth???"

Paul Leach wrote:
> 
> Is Proxy-Authorization only sent after 407, or can it also be sent after
> 401? Section 3.6 (entitled Proxy-Authentication and Proxy-Authorization)
> says that:
> 
> Upon receiving a request which requires authentication, the proxy/server
> must issue the "HTTP/1.1 401 Unauthorized " response with a
> "Proxy-Authenticate" header.
> 
> Section 1.2 says:
> 
> The 401 (Unauthorized) response message is used by an origin server to
> challenge the authorization of a user agent. This response MUST include a
> WWW-Authenticate header field containing at least one challenge applicable
> to the requested resource. The 407 (Proxy Authentication Required) response
> message is used by a proxy to challenge the authorization of a client and
> MUST include a Proxy-Authenticate header field containing a challenge
> applicable to the proxy for the requested resource.

Sounds like a bug in the spec. to me.  WWW-Authenticate goes with 401,
Proxy-Authenticate goes with 407.

The paragraph at the end of 3.6 seems wrong.  I don't think you can get
both WWW-Authenticate *and* Proxy-Authenticate in one response.  First
you would get a 407 from the proxy, then a 401 from the origin server. 
Both could occur, of course, on one request.

Dave Kristol

• Next message: Dave Kristol: "Re: Digest Authentication Challenge Ordering"
• Previous message: Dave Kristol: "Re: ISSUE: Protection space"
• Maybe in reply to: Paul Leach: "Proxy Auth???"