RFC2616:返回 401 时我真的需要设置 WWW_Authenticate 吗?
根据 RFC2616 如果我返回 401 来响应我的请求(Ruby) 服务器,我“必须包含 WWW-Authenticate 标头字段”。这是真的吗?不设置标题似乎没有负面影响。我使用 Merb 作为 Web 框架,它不会强制我设置标头。
我是否遗漏了一些东西,或者这是一条在违反规则时更受尊重的规则?
Web 框架是否应该强制开发人员在返回 401 时设置标头?
According to RFC2616 if I return 401 in response to a request to my (Ruby) server, I "MUST include a WWW-Authenticate header field." Is this really true? Not setting the header seems to have no negative impact. I'm using Merb as a web framework and it doesn't force me to set the header.
Am I missing something or is this a rule more honoured in the breach?
Should Web frameworks force the developer to set the header when returning 401?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
问题是您是否期望用户能够从 401 失败导航到成功的身份验证。如果您未能提供 WWW-Authenticate 标头,则您将 401 的含义从“您必须提供凭据”更改为“我们不喜欢您在这里的同类”。这可能适合您的目的,但拒绝凭据而不提供解决问题的方法的概念中固有的不礼貌是“必须”背后的根源。
The issue is whether you expect users to be able to navigate from the 401 failure to a successful authentication going forward. If you fail to provide a WWW-Authenticate header, then you are changing the meaning of the 401 from 'You must supply credentials' to 'we don't like your kind around here'. This might be fine for your purposes, but the inherent impoliteness in the concept of rejecting credentials without offering a way to fix the problem is the root behind the 'MUST'.
如果您希望客户端进行身份验证,则发送 401,在这种情况下您需要告诉它如何进行身份验证。
那么您希望客户做什么?如果这只是一条“你不能这样做”的消息,请考虑 403。
You send 401 if you want the client to authenticate, in which case you need to tell it how.
So what do you want the client to do? If it's just a "you can't do this" message, consider 403.