this is correct The authenticate header must identify at least one Authentication challenge (Basic,Digest,SPAP,MSCHAP whatever)
with regards to Basic Authentication "To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 [7] encoded string in the credentials." found in RFC 2617 http://www.ietf.org/rfc/rfc2617.txt As the concept of no authentication challenge is not addressed specifically I would *default* to implementing "Basic Authentication" Anyone else? M- --------------------------------------------------------------------------- This e-mail message (including attachments, if any) is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, proprietary , confidential and exempt from disclosure. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this communication is strictly prohibited. --------------------------------------------------------------------------- Le présent message électronique (y compris les pièces qui y sont annexées, le cas échéant) s'adresse au destinataire indiqué et peut contenir des renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le destinataire de ce document, nous vous signalons qu'il est strictement interdit de le diffuser, de le distribuer ou de le reproduire. ----- Original Message ----- From: "Fisher, Mitchell L" <[EMAIL PROTECTED]> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Sunday, January 21, 2007 1:31 PM Subject: RE: how to tell Tomcat to send a blank "WWW-Authenticate" header? > Christopher Schultz wrote: >> Also, you could set the error page that is used when a user doesn't have >> the proper credentials to something that gives you the opportunity to >> re-login in order to access the forbidden resource. When you want to log >> someone out of BASIC authentication, you have to send a blank >> "WWW-Authenticate" header to the client, just the same way that Tomcat >> would do if you weren't already authenticated. Could you expand on this? RFC2616 (HTTP/1.1) (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says of the WWW-Authenticate header: "The field value consists of at least one challenge that indicates the authentication scheme(s) and parameters applicable to the Request-URI." Which clients would take a null WWW-Authenticate header to mean log out? -Mitch --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]