W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2008

Re: 403/401 for access denied Re: Thoughts on relation to WebDAV

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 25 May 2008 18:12:09 +0200
Message-ID: <48398FD9.9040507@gmx.de>
To: Helge Hess <helge.hess@opengroupware.org>
CC: WebDAV <w3c-dist-auth@w3.org>

Helge Hess wrote:
> 
> On 24.05.2008, at 18:13, Werner Baumann wrote:
>> BTW: 403 Forbidden is *not* related to authorization; that's 401.
> 
> 
> You are right! Weird, I always got this wrong. (RFC 2616, 10.4.2/10.4.4 
> explicitly states what you say).
> 
> Summary: even if the user is authenticated, one would reissue a 401 if 
> access is denied to a resource. Which makes me wonder in what (real 
> world) situations one would use 403 then.

That's incorrect.

401 means you need to authenticate. 403 means, you're not allowed to do 
what you want to do.

> Actually in the real world having to send a 401 for access-denied will 
> probably confuse almost any client. It will _clear_ authentication in 
> almost any (in fact many webapps rely on that for the 401-logout-hack).
> 
> Also: RFC 3744 contradicts with that? Eg it says (3. Privileges):
>   http://webdav.org/specs/rfc3744.html#privileges
> 
>   'Servers must report a 403 "Forbidden" error if access is denied'
> 
> The whole RFC goes like this.
> 
> I'm confused ;-/

The RFC is right. 403 means "forbidden".

BR, Julian
Received on Sunday, 25 May 2008 16:13:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:16 GMT