Hi Odi, > I have seen webservices (from SAP) returning an HTML (yuck!) form to the > webservice client to inform them that their password has expired...
I know a bunch of firewalls that will intercept _all_ connections on all ports and return an HTML authentication form. Even if you were trying to connect via HTTPS, or using ssh or cvs or whatever. You have to access a protected server using a browser and http (even if there is no HTTP server running there) and perform authentication. Once the firewall knows your MAC address, you can then use any other protocol... > Well... HTTP defines status codes 401 Unauthorized and 403 forbidden to > signal failed authentication. Both of them may contain a response entity > e.g. HTML form. So applications that on authentication failure return > status 200 and an error message are misbehaving in terms of the HTTP > protocol. I disagree. From RFC 2616: 10.4.2 401 Unauthorized The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. This is not an appropriate response if authentication is not on the HTTP level. 10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. That one's arguable. (HTTP) authentication will not help, that's a match. The request SHOULD NOT be repeated... that's the part where one might start to argue. cheers, Roland --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
