HTTP Request Header Authorization: Difference between revisions
Jump to navigation
Jump to search
(Created page with "=External= {{External|https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.8}} =Internal= * HTTP Request =Overview=") |
|||
| Line 8: | Line 8: | ||
=Overview= | =Overview= | ||
<font color=red>TODO | |||
A user agent that wishes to authenticate itself with a server-- | |||
usually, but not necessarily, after receiving a 401 response--does | |||
so by including an Authorization request-header field with the | |||
request. The Authorization field value consists of credentials | |||
containing the authentication information of the user agent for | |||
the realm of the resource being requested. | |||
Authorization = "Authorization" ":" credentials | |||
HTTP access authentication is described in "HTTP Authentication: | |||
Basic and Digest Access Authentication" [43]. If a request is | |||
authenticated and a realm specified, the same credentials SHOULD | |||
be valid for all other requests within this realm (assuming that | |||
the authentication scheme itself does not require otherwise, such | |||
as credentials that vary according to a challenge value or using | |||
synchronized clocks). | |||
When a shared cache (see section 13.7) receives a request | |||
containing an Authorization field, it MUST NOT return the | |||
corresponding response as a reply to any other request, unless one | |||
of the following specific exceptions holds: | |||
1. If the response includes the "s-maxage" cache-control | |||
directive, the cache MAY use that response in replying to a | |||
subsequent request. But (if the specified maximum age has | |||
passed) a proxy cache MUST first revalidate it with the origin | |||
server, using the request-headers from the new request to allow | |||
the origin server to authenticate the new request. (This is the | |||
defined behavior for s-maxage.) If the response includes "s- | |||
maxage=0", the proxy MUST always revalidate it before re-using | |||
it. | |||
2. If the response includes the "must-revalidate" cache-control | |||
directive, the cache MAY use that response in replying to a | |||
subsequent request. But if the response is stale, all caches | |||
MUST first revalidate it with the origin server, using the | |||
request-headers from the new request to allow the origin server | |||
to authenticate the new request. | |||
3. If the response includes the "public" cache-control directive, | |||
it MAY be returned in reply to any subsequent request. | |||
</font> | |||
Revision as of 19:31, 21 February 2017
External
Internal
Overview
TODO
A user agent that wishes to authenticate itself with a server--
usually, but not necessarily, after receiving a 401 response--does
so by including an Authorization request-header field with the
request. The Authorization field value consists of credentials
containing the authentication information of the user agent for
the realm of the resource being requested.
Authorization = "Authorization" ":" credentials
HTTP access authentication is described in "HTTP Authentication:
Basic and Digest Access Authentication" [43]. If a request is
authenticated and a realm specified, the same credentials SHOULD
be valid for all other requests within this realm (assuming that
the authentication scheme itself does not require otherwise, such
as credentials that vary according to a challenge value or using
synchronized clocks).
When a shared cache (see section 13.7) receives a request
containing an Authorization field, it MUST NOT return the
corresponding response as a reply to any other request, unless one
of the following specific exceptions holds:
1. If the response includes the "s-maxage" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But (if the specified maximum age has
passed) a proxy cache MUST first revalidate it with the origin
server, using the request-headers from the new request to allow
the origin server to authenticate the new request. (This is the
defined behavior for s-maxage.) If the response includes "s-
maxage=0", the proxy MUST always revalidate it before re-using
it.
2. If the response includes the "must-revalidate" cache-control
directive, the cache MAY use that response in replying to a
subsequent request. But if the response is stale, all caches
MUST first revalidate it with the origin server, using the
request-headers from the new request to allow the origin server
to authenticate the new request.
3. If the response includes the "public" cache-control directive,
it MAY be returned in reply to any subsequent request.