- From: Werner Baumann <werner.baumann@onlinehome.de>
- Date: Wed, 28 May 2008 18:26:22 +0200
- CC: ietf-http-wg@w3.org
Miles Crawford wrote: > > Has any thought been given to changing the wording for these status codes? > > Presently, 401 is called "Unauthorized" and then proceeds to describe > being unauthenticated. 403, ambiguously called "Forbidden" describes > being unauthorized. > It is not the wording, the meaning is different from your interpretation. HTTP-Authentication combines authentication and authorization. Clients send credentials with every request. The server checks - whether the credentials are valid (authentication) - and whether this user is authorized to access the requested resource with the request-method (authorization). "401 Unauthorized" does not (and should not) tell, which of these two checks failed and why. Please see RFC 2617. And this is 403, from RFC 2616: 10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. Please note the "Authorization will not help". Within the extension RFC 3744, Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol, 403 may have a special meaning within the context of special requests, that is related to authorization. But I cannot judge this, and this does not affect the definition of status codes in RFC 2616. Werner
Received on Wednesday, 28 May 2008 16:36:08 UTC