Step 1: Server Sends an Unauthorized Status
Once a server receives a request without an
Authorization:
field to access a document that is
protected, it sends an Unauthorized 401
status code, and
a set of WWW-Authenticate:
fields containing valid
authentication schemes and their scheme-specific parameters.
In Basic
scheme the reply is following:
HTTP/1.0 401 Unauthorized -- authentication failed WWW-Authenticate: Basic realm="CollabName"where realm specifies used password file; same server can use different password file for different trees of documents (this is the
server-id
specified in CERN server protection setup
file). Client can thus figure out which password to use at any given
time.
Step 2: Client Authenticates Himself
After receiving Unauthorized
status code, the browser
prompts for user name and password (if they are not already given by
the user), and constructs a string containing those two separated by a
colon:
username:passwordThis string is then encoded into printable characters, and sent it along with the next request in the
Authorization:
field as follows:
Authorization: Basic encoded_string
Step 3: Server Checks Authentication and Authorization
When the server receives a request to access a document protected by
the Basic Scheme, and the request is a full
request containing Authorization:
field which
contains the Basic Scheme information, it will execute the following
Access Request Validation Procedure:
Authorization:
field with the
scheme name Basic
and encoded authorization string.
Unauthorized 401
status with
WWW-Authenticate:
field containing appropriate scheme
name (Basic)
and realm name is sent back (as if no
authorization information was given).
Unauthorized 401
status with appropriate WWW-Authenticate:
field is sent
back.
Unauthorized 401
status and
WWW-Authenticate:
field etc.
mask-group
(if) specified in protection setup file (using group file).
.www_acl
(if any).
mask-group
nor ACL, or if ACL exists,
but there is no entry for that file, access is denied with a
Frobidden 403
status code.
Unauthorized 401
status etc. is sent.
Not found 404
status is sent back.
See also the discussion about Basic Protection Scheme.
AL 12 December 1993