W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC #357: Authentication Exchanges

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 20 Jun 2012 11:24:15 +0200
Message-ID: <4FE196BF.3020909@gmx.de>
To: Yutaka OIWA <y.oiwa@aist.go.jp>
CC: Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On 2012-06-20 10:36, Yutaka OIWA wrote:
> Dear Amos and Mark,
>
>> A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the 403 (Forbidden) status code.
>
> I have a different understanding on the use of 401/403 statuses.
> At least on current implementations (e.g. Apache),
> auth-succeed and authz-failed status will be represented by
> 401-status instead of 403.
> 403 status is used, for example, when the content is
> not accessible by underlying filesystem permissions,
> or by server configuration for denying directory listing.
>
> I think this (use 401 instead of 403) should be kept for two reasons:
>
>   * Without 401 status, client will not know that changing
>      the user name and the password will solve the
>      inaccessibility issue.

Sorry?

"The server understood the request, but refuses to authorize it. 
Providing different user authentication credentials might be successful, 
but any credentials that were provided in the request are insufficient. 
The request SHOULD NOT be repeated with the same credentials." - 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.7.4.3>

 > ...

Best regards, Julian
Received on Wednesday, 20 June 2012 09:24:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 June 2012 09:25:04 GMT