Helge Hess wrote: > Summary: even if the user is authenticated, one would reissue a 401 if > access is denied to a resource. Which makes me wonder in what (real > world) situations one would use 403 then. > Access restrictions based on IP-address might cause a 403, for instance. Basically: - 401 says: authenticate and the request will succeed - 403 says: denied, and authentication will not help. Actually, RFC 2616 says: 401 Unauthorized it is *not* "401 for access-denied" > Actually in the real world having to send a 401 for access-denied will > probably confuse almost any client. It will _clear_ authentication in > almost any (in fact many webapps rely on that for the 401-logout-hack). > I only know about HTTP-Basic- and HTTP-Digest-authentication. In this cases the client will include authentication information with every request. A 401 response includes information about the realm of authentication. A client will either repeat the request with authentication information included, or give up, if it can't authenticate for that realm. In practice: servers may require different authentication for different parts of their resources. A new request from the client may leave one realm of authentication and enter another one (e.g. some directory is only allowed for authenticated users; within this is an area only allowed for administrators). > Also: RFC 3744 contradicts with that? Eg it says (3. Privileges): > http://webdav.org/specs/rfc3744.html#privileges > > 'Servers must report a 403 "Forbidden" error if access is denied' > > The whole RFC goes like this. > I never cared about RFC 3744. But at first sight, this looks like not being related to HTTP-authentication, but to be specific to privileges, ACEs and whatsoever defined in RFC 3744. It probably only makes sense when read within this context. WernerReceived on Sunday, 25 May 2008 09:55:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:16 GMT