httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug MacEachern <do...@opengroup.org>
Subject Re: cvs commit: apache/src http_protocol.c
Date Thu, 30 Jan 1997 13:54:53 GMT
"Roy T. Fielding" <fielding@liege.ICS.UCI.EDU> wrote:

> >>   Also allow WWW-Authenticate to be sent on 304 response.
> > 
> > Wha? WWW-Authenticate is only set for 401 responses, isn't it?
> 
> Apparently not.  If it is being used to carry server authenticity
> data, as appears to be the case for the Kerberos thingy, then it
> would appear on any response that would be authenticated by the client.
> I don't use Kerberos, but that was the essence of the report.

Exactly.  With KerberosV5 authentication, as part of a 401 response the
server will send a WWW-Authenticate challenge, with all other
responses, it sends bits in the WWW-Authenticate header so the client
can authenticate the server.  It's what makes "mutal authentication"
`mutal'.

-Doug
		
> 
> .....Roy
> 

Mime
View raw message