W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2008

Re: 403/401 for access denied Re: Thoughts on relation to WebDAV

From: Werner Baumann <werner.baumann@onlinehome.de>
Date: Sun, 25 May 2008 11:54:56 +0200
Message-ID: <48393770.7010206@onlinehome.de>
CC: WebDAV <w3c-dist-auth@w3.org>

Helge Hess wrote:
> Summary: even if the user is authenticated, one would reissue a 401 if 
> access is denied to a resource. Which makes me wonder in what (real 
> world) situations one would use 403 then.
Access restrictions based on IP-address might cause a 403, for instance. 
- 401 says: authenticate and the request will succeed
- 403 says: denied, and authentication will not help.

Actually, RFC 2616 says:
401 Unauthorized
it is *not* "401 for access-denied"

> Actually in the real world having to send a 401 for access-denied will 
> probably confuse almost any client. It will _clear_ authentication in 
> almost any (in fact many webapps rely on that for the 401-logout-hack).
I only know about HTTP-Basic- and HTTP-Digest-authentication. In this 
cases the client will include authentication information with every 
request. A 401 response includes information about the realm of 
authentication. A client will either repeat the request with 
authentication information included, or give up, if it can't 
authenticate for that realm. In practice: servers may require different 
authentication for different parts of their resources. A new request 
from the client may leave one realm of authentication and enter another 
one (e.g. some directory is only allowed for authenticated users; within 
this is an area only allowed for administrators).

> Also: RFC 3744 contradicts with that? Eg it says (3. Privileges):
>   http://webdav.org/specs/rfc3744.html#privileges
>   'Servers must report a 403 "Forbidden" error if access is denied'
> The whole RFC goes like this.
I never cared about RFC 3744. But at first sight, this looks like not 
being related to HTTP-authentication, but to be specific to privileges, 
ACEs and whatsoever defined in RFC 3744. It probably only makes sense 
when read within this context.

Received on Sunday, 25 May 2008 09:55:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:37 UTC