At the recent IPP bake off the following issue came up.
Some clients determined if a Printer requires authentication by sending an
empty HTTP request. Some Printers treated this as an error. The resolution
was for clients to send a ValidateJob operation and by inference to allow
Printers to reject empty HTTP requests.
I raised the issue about whether a Printer should perform the authentication
challenge based solely on the URL or whether it could react differently to
an empty request than to a Validate-Job request.
I asked an HTTP expert and received the following information.
1) An HTTP server can have any policy.
This means that our decision is allowable.
2) It is best for a client if it can associate the URL tree with
the authentication space.
This means that our decision could be better. That is, we should
require an IPP Printer to decide whether to issue an authentication
challenge by examining the URL and nothing else, e.g. a Printer
receiving a request for a particular URL, gives the same
challenge to an empty request as to a Validate-Job request.
This solution allows a client to use Validate-Job to request a challenge as
we decided to allow. It also allows a client to use the empty request.
The important difference between our decision and what I am proposing is
that the Printer must perform an authentication challenge consistently for a
URL regardless of the contents of the message body. This rule make IPP
behavior consistent with good HTTP policy.