W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 2008

Re: 403/401 for access denied Re: Thoughts on relation to WebDAV

From: Helge Hess <helge.hess@opengroupware.org>
Date: Sun, 25 May 2008 21:01:43 +0200
Message-Id: <1511C21A-04F7-4329-84E4-31EC0828791A@opengroupware.org>
To: WebDAV <w3c-dist-auth@w3.org>

On 25.05.2008, at 18:18, Julian Reschke wrote:
>> Access restrictions based on IP-address might cause a 403, for  
>> instance. Basically:
>> - 401 says: authenticate and the request will succeed
> Nope. It means: "authenticate, and the request will not fail again  
> with 401. But potentially in a different way".

Why? It explicitly states that it may fail again with 401, if  
*authorization* fails for the *authenticated* user:
---snip:10.4.2---
If the request already included Authorization credentials, then the  
401    response indicates that authorization has been refused for those
credentials.
---snap---

>> - 403 says: denied, and authentication will not help.
> Exactly.

It says: "Authorization will not help".
http://www.duke.edu/~rob/kerberos/authvauth.html


Anyways, not really relevant.

So what to do, there is resource /addressbook/donald.vcf. User  
'mickey' is authenticated for the relevant domain but is not  
authorized to access that specific resource. User 'dagobert' *is*  
authorized to access donald.vcf, so (re-)authentication with different  
credentials would help.

Given that 403 says "Authorization will not help" and 401 says "If the  
request already included Authorization credentials, then the 401  
response indicates that authorization has been refused", I would  
derive that mickey should get a 401.

It seems a bit weird to me from a practical point of view, but can it  
actually be read in a different way?

Thanks,
   Helge
Received on Sunday, 25 May 2008 19:04:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:16 GMT