Re: Users with different access rights in HTTP Authentication from Julian Reschke on 2009-02-21 (www-talk@w3.org from January to February 2009)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 21 Feb 2009 17:07:44 +0100
To: Martin Atkins <mart@degeneration.co.uk>
CC: www-talk@w3.org
Message-ID: <49A026D0.8050705@gmx.de>

Martin Atkins wrote:
> 
> I have run into a situation where I don't believe the HTTP specification 
> is clear so I was hoping that folks here might be able to weigh in on 
> what the correct approach might be.
> 
> Imagine that I have a resource at some HTTP URL. This resource supports 
> the GET, PUT and DELETE methods.
> 
> In response to a request with any of those three methods, the resource 
> returns a valid 401 Unauthorized response containing a challenge.
> 
> If I recieve a request that has valid authentication credentials for a 
> user that only has access rights to read and not to modify the resource, 
> what is the appropriate response status code to use when that request 
> uses the PUT or DELETE methods?
> 
> Here are some options I've been considering:
> 
> * Return 405 Method Not Allowed, and indicate in the "Allow" response 
> header the methods that this particular authenticated user is allowed to 
> perform. (i.e. Allow: GET)

The description for 405 is not very clear, but the one for "Allow" is 
(IMHO):

"The Allow entity-header field lists the set of methods supported by the 
resource identified by the Request-URI." -- 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.14.7>

So no, this doesn't fit.

> * Return 403 Forbidden, indicating that the authentication was 
> successful and that this method is supported but this particular client 
> is not allowed perform the request. The "Allow" response header here 
> will have the value "GET, PUT, DELETE".

Exactly.

> * Return 401 Unauthorized with another challenge, indicating that the 
> supplied credentials are not acceptable for this resource. This of 
> course means that the client is unable to distinguish between an invalid 
> credentials error and an insufficient access error.

"If the request already included Authorization credentials, then the 401 
response indicates that authorization has been refused for those 
credentials." -- 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.10.4.2>

So, 401 is IMHO incorrect as well.

> I'd be interested to hear some feedback on which of these approaches 
> would be best, or indeed recieve any suggestions on alternative 
> approaches that work better with web architecture.
> 
> Thanks,
> Martin

Best regards, Julian

Received on Saturday, 21 February 2009 16:08:30 UTC