Must a server read the body of a PUT request, even when generating a '401 Not Authorized' response?

Is a HTTP server expected to read the whole request body from a PUT request, even if access is denied?

Or is it compliant to return a 401 Not Authorized,开发者_运维知识库 without reading anything or only a small part of the body. (And add 'Connection: close' to prevent the connection from being reused)

Be careful: unless I'm missing something not reading the whole request body might block the client (trying to send it).

Note that this can be avoided by including

Expect: 100-continue

See RFC 2616, Section 8.2.3

No, your webserver won't have to read the the whole body of the http request.

There is no necessity mentioned in the RFC

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].

Source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html