Re: 403/401 for access denied Re: Thoughts on relation to WebDAV from Helge Hess on 2008-05-25 (w3c-dist-auth@w3.org from April to June 2008)

From: Helge Hess <helge.hess@opengroupware.org>
Date: Sun, 25 May 2008 20:43:49 +0200
To: WebDAV <w3c-dist-auth@w3.org>
Message-Id: <DAFD4B9E-A696-4F8A-AAC7-AAA7F13A52CD@opengroupware.org>

On 25.05.2008, at 11:54, Werner Baumann wrote:
> Helge Hess wrote:
>> Summary: even if the user is authenticated, one would reissue a 401  
>> if access is denied to a resource. Which makes me wonder in what  
>> (real world) situations one would use 403 then.
>> Access restrictions based on IP-address might cause a 403, for  
>> instance. Basically:
> - 401 says: authenticate and the request will succeed

'might' succeed. Since it can't know the credentials in advance, it  
can't say that any authenticated credentials will be authorized.

> - 403 says: denied, and authentication will not help.

Yes, thats what the spec is saying :-/

> Actually, RFC 2616 says:
> 401 Unauthorized
> it is *not* "401 for access-denied"

I was surprised, but the RFC actually says that: "If the request  
already included Authorization credentials, then the 401 response  
indicates that authorization has been refused for those credentials."

This is access-denied (the user is authenticated, but not authorized).

>> Actually in the real world having to send a 401 for access-denied  
>> will probably confuse almost any client. It will _clear_  
>> authentication in almost any (in fact many webapps rely on that for  
>> the 401-logout-hack).
>>
> I only know about HTTP-Basic- and HTTP-Digest-authentication. In  
> this cases the client will include authentication information with  
> every request.
[cut]

Yes. The problem is that according to the spec 401 is to be used for  
access denied. Most (all?) clients will ignore that the user is  
already authenticated and prompt him for new credentials instead of  
saying 'access denied'.

>> Also: RFC 3744 contradicts with that? Eg it says (3. Privileges):
>>  http://webdav.org/specs/rfc3744.html#privileges
>>  'Servers must report a 403 "Forbidden" error if access is denied'
>> The whole RFC goes like this.
>>
> I never cared about RFC 3744. But at first sight, this looks like  
> not being related to HTTP-authentication, but to be specific to  
> privileges, ACEs and whatsoever defined in RFC 3744.

Can't follow you.

Thanks,
   Helge

Received on Sunday, 25 May 2008 18:44:34 UTC