I would like to know if Authorization is typically included with an HTTP message or only
if a server requests it. RFC 1945 is unclear on this point.
I ask this because I would like one form of security to be where the client (not the end-user)
automatically sends an attribute at the HTTP level with the user's name and ideally the
domain name as well.
Such values could implement the attributes operation-user-name and operation-host-name. This
mechanism would allow a lightweight security mechanism that would work in cooperative
environments where people don't want to deal with passwords but also don't want to
cancel other people's jobs accidentally.
I think that this is one case that Roger missed in his enumeration of possible security
mechanisms.
Bob Herriot