W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2008

Re: 401 Unauthenticated, 403 Unauthorized?

From: Werner Baumann <werner.baumann@onlinehome.de>
Date: Wed, 28 May 2008 18:26:22 +0200
Message-ID: <483D87AE.7010500@onlinehome.de>
CC: ietf-http-wg@w3.org

Miles Crawford wrote:
> Has any thought been given to changing the wording for these status codes?
> Presently, 401 is called "Unauthorized" and then proceeds to describe
> being unauthenticated.  403, ambiguously called "Forbidden" describes
> being unauthorized.
It is not the wording, the meaning is different from your interpretation.

HTTP-Authentication combines authentication and authorization. Clients 
send credentials with every request. The server checks
- whether the credentials are valid (authentication)
- and whether this user is authorized to access the requested resource
   with the request-method (authorization).

"401 Unauthorized" does not (and should not) tell, which of these two 
checks failed and why. Please see RFC 2617.

And this is 403, from RFC 2616:

   10.4.4 403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
   If the request method was not HEAD and the server wishes to make
   public why the request has not been fulfilled, it SHOULD describe the
   reason for the refusal in the entity. If the server does not wish to
   make this information available to the client, the status code 404
   (Not Found) can be used instead.

Please note the "Authorization will not help".

Within the extension RFC 3744, Web Distributed Authoring and Versioning 
(WebDAV) Access Control Protocol, 403 may have a special meaning within 
the context of special requests, that is related to authorization. But I 
cannot judge this, and this does not affect the definition of status 
codes in RFC 2616.

Received on Wednesday, 28 May 2008 16:36:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:46 UTC