[Osr-101] [Fwd: [Phoenix] Neutron-Auth does not specify
WWW-Authenticate header]
Andreas Wuest
awuest at student.ethz.ch
Thu Sep 7 17:10:26 CEST 2006
Hi
On 7.9.2006 16:52 Uhr, Thomas Comiotto wrote:
> Hi
>>
>> Well, the problem is that RFC2616 says that if a 401 is returned "The
>> response MUST include a WWW-Authenticate header field (section 14.47)
>> containing a challenge applicable to the requested resource."
>>
>
> You can return 200. Every other webservice does so too. You're talking
> about the *transport* protocol Neutron runs over; accessing the service
> endpoint might be granted for free, access to the actual remote methods
> the service provides (opening/saving/ etc..) not.
Well, HTTP is part of the *application* layer. The header fields belong
to the HTTP protocol. Whatever payload a HTTP request carries belongs to
the application using the HTTP protocol.
A Neutron-enabled client might support Neutron-Auth, but it doesn't has
to (i.e., it could also support Basic or Digest). On the contraty, a
Neutron-enabled client might support several authentication schemes. In
a request, we specify them in the WWW-Authenticate header. But the
authentication scheme the server actually chooses to use has to be
specified in its response (via the WWW-Authenticate field). Otherwise
the client wouldn't know which one to use.
--
Kind regards,
Andi
More information about the Osr-101
mailing list