HTTP Request Header Authorization: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=External= {{External|https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8}} =Internal= * HTTP Request =Overview=")
 
Line 8: Line 8:


=Overview=
=Overview=
<font color=red>TODO
      A user agent that wishes to authenticate itself with a server--
      usually, but not necessarily, after receiving a 401 response--does
      so by including an Authorization request-header field with the
      request.  The Authorization field value consists of credentials
      containing the authentication information of the user agent for
      the realm of the resource being requested.
          Authorization  = "Authorization" ":" credentials
      HTTP access authentication is described in "HTTP Authentication:
      Basic and Digest Access Authentication" [43]. If a request is
      authenticated and a realm specified, the same credentials SHOULD
      be valid for all other requests within this realm (assuming that
      the authentication scheme itself does not require otherwise, such
      as credentials that vary according to a challenge value or using
      synchronized clocks).
      When a shared cache (see section 13.7) receives a request
      containing an Authorization field, it MUST NOT return the
      corresponding response as a reply to any other request, unless one
      of the following specific exceptions holds:
      1. If the response includes the "s-maxage" cache-control
        directive, the cache MAY use that response in replying to a
        subsequent request. But (if the specified maximum age has
        passed) a proxy cache MUST first revalidate it with the origin
        server, using the request-headers from the new request to allow
        the origin server to authenticate the new request. (This is the
        defined behavior for s-maxage.) If the response includes "s-
        maxage=0", the proxy MUST always revalidate it before re-using
        it.
      2. If the response includes the "must-revalidate" cache-control
        directive, the cache MAY use that response in replying to a
        subsequent request. But if the response is stale, all caches
        MUST first revalidate it with the origin server, using the
        request-headers from the new request to allow the origin server
        to authenticate the new request.
      3. If the response includes the "public" cache-control directive,
        it MAY be returned in reply to any subsequent request.
</font>

Revision as of 19:31, 21 February 2017

External

https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8

Internal

Overview

TODO

     A user agent that wishes to authenticate itself with a server--
     usually, but not necessarily, after receiving a 401 response--does
     so by including an Authorization request-header field with the
     request.  The Authorization field value consists of credentials
     containing the authentication information of the user agent for
     the realm of the resource being requested.
         Authorization  = "Authorization" ":" credentials
     HTTP access authentication is described in "HTTP Authentication:
     Basic and Digest Access Authentication" [43]. If a request is
     authenticated and a realm specified, the same credentials SHOULD
     be valid for all other requests within this realm (assuming that
     the authentication scheme itself does not require otherwise, such
     as credentials that vary according to a challenge value or using
     synchronized clocks).
     When a shared cache (see section 13.7) receives a request
     containing an Authorization field, it MUST NOT return the
     corresponding response as a reply to any other request, unless one
     of the following specific exceptions holds:
     1. If the response includes the "s-maxage" cache-control
        directive, the cache MAY use that response in replying to a
        subsequent request. But (if the specified maximum age has
        passed) a proxy cache MUST first revalidate it with the origin
        server, using the request-headers from the new request to allow
        the origin server to authenticate the new request. (This is the
        defined behavior for s-maxage.) If the response includes "s-
        maxage=0", the proxy MUST always revalidate it before re-using
        it.
     2. If the response includes the "must-revalidate" cache-control
        directive, the cache MAY use that response in replying to a
        subsequent request. But if the response is stale, all caches
        MUST first revalidate it with the origin server, using the
        request-headers from the new request to allow the origin server
        to authenticate the new request.
     3. If the response includes the "public" cache-control directive,
        it MAY be returned in reply to any subsequent request.