W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2006

Re: multistatus and BIND

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 03 Oct 2006 18:13:44 +0200
Message-ID: <45228C38.8060707@gmx.de>
To: Tim Olsen <tolsen718@gmail.com>
CC: w3c-dist-auth@w3.org

Tim Olsen schrieb:
> On 10/3/06, Julian Reschke <julian.reschke@gmx.de> wrote:
>> Tim Olsen schrieb:
>> > Let's say I do an infinite-depth copy on /CollX to /CollY, and I have
>> > read permission on Collection C1, but not on Resource R1.  In my
>> > multistatus response, do I have to specify a 401 for each URL for
>> > Resource R1 (/CollX/x.gif and /CollX/y.gif), or for just one of them?
>>
>> Independently of that question, it would be 403, right?
> 
> I'm not sure.  From HTTP/1.1 :
> 
> "If the request already included Authorization credentials, then the
> 401 response indicates that authorization has been refused for those
> credentials."
> 
> Whereas for 403:
> 
> "Authorization will not help and the request SHOULD NOT be repeated."
> 
> So if you have the option of authenticating with different credentials
> which may have the proper permissions, then I guess 401 is
> appropriate?

Yes, it seems you are right. Of course that may be hard to detect on the 
server...
Received on Tuesday, 3 October 2006 16:13:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:15 GMT