W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2008

Re: 403/401 for access denied Re: Thoughts on relation to WebDAV

From: Werner Baumann <werner.baumann@onlinehome.de>
Date: Sun, 25 May 2008 11:54:56 +0200
Message-ID: <48393770.7010206@onlinehome.de>
CC: WebDAV <w3c-dist-auth@w3.org>


Helge Hess wrote:
> Summary: even if the user is authenticated, one would reissue a 401 if 
> access is denied to a resource. Which makes me wonder in what (real 
> world) situations one would use 403 then.
>
Access restrictions based on IP-address might cause a 403, for instance. 
Basically:
- 401 says: authenticate and the request will succeed
- 403 says: denied, and authentication will not help.

Actually, RFC 2616 says:
401 Unauthorized
it is *not* "401 for access-denied"

> Actually in the real world having to send a 401 for access-denied will 
> probably confuse almost any client. It will _clear_ authentication in 
> almost any (in fact many webapps rely on that for the 401-logout-hack).
>
I only know about HTTP-Basic- and HTTP-Digest-authentication. In this 
cases the client will include authentication information with every 
request. A 401 response includes information about the realm of 
authentication. A client will either repeat the request with 
authentication information included, or give up, if it can't 
authenticate for that realm. In practice: servers may require different 
authentication for different parts of their resources. A new request 
from the client may leave one realm of authentication and enter another 
one (e.g. some directory is only allowed for authenticated users; within 
this is an area only allowed for administrators).

> Also: RFC 3744 contradicts with that? Eg it says (3. Privileges):
>   http://webdav.org/specs/rfc3744.html#privileges
> 
>   'Servers must report a 403 "Forbidden" error if access is denied'
> 
> The whole RFC goes like this.
>
I never cared about RFC 3744. But at first sight, this looks like not 
being related to HTTP-authentication, but to be specific to privileges, 
ACEs and whatsoever defined in RFC 3744. It probably only makes sense 
when read within this context.

Werner
Received on Sunday, 25 May 2008 09:55:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:16 GMT