this is correct
The authenticate header must identify at least one Authentication challenge
(Basic,Digest,SPAP,MSCHAP whatever)
with regards to Basic Authentication
"To receive authorization, the client sends the userid and password, separated
by a single colon (":") character, within a base64 [7] encoded string in the
credentials."
found in RFC 2617
http://www.ietf.org/rfc/rfc2617.txt
As the concept of no authentication challenge is not addressed specifically I
would *default* to implementing "Basic Authentication"
Anyone else?
M-
---------------------------------------------------------------------------
This e-mail message (including attachments, if any) is intended for the use of
the individual or entity to which it is addressed and may contain information
that is privileged, proprietary , confidential and exempt from disclosure. If
you are not the intended recipient, you are notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
---------------------------------------------------------------------------
Le présent message électronique (y compris les pièces qui y sont annexées, le
cas échéant) s'adresse au destinataire indiqué et peut contenir des
renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le
destinataire de ce document, nous vous signalons qu'il est strictement interdit
de le diffuser, de le distribuer ou de le reproduire.
----- Original Message -----
From: "Fisher, Mitchell L" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Sunday, January 21, 2007 1:31 PM
Subject: RE: how to tell Tomcat to send a blank "WWW-Authenticate" header?
> Christopher Schultz wrote:
>> Also, you could set the error page that is used when a user doesn't
have
>> the proper credentials to something that gives you the opportunity to
>> re-login in order to access the forbidden resource. When you want to
log
>> someone out of BASIC authentication, you have to send a blank
>> "WWW-Authenticate" header to the client, just the same way that
Tomcat
>> would do if you weren't already authenticated.
Could you expand on this? RFC2616 (HTTP/1.1)
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47) says
of the WWW-Authenticate header:
"The field value consists of at least one challenge that indicates the
authentication scheme(s) and parameters applicable to the Request-URI."
Which clients would take a null WWW-Authenticate header to mean log out?
-Mitch
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
