- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 21 Jul 2010 14:43:11 +0200
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: "William A. Rowe Jr." <wrowe@rowe-clan.net>, "Roy T. Fielding" <fielding@gbiv.com>, Mark Nottingham <mnot@mnot.net>, David Morris <dwm@xpasc.com>, HTTP Working Group <ietf-http-wg@w3.org>, Martin Atkins <mart@degeneration.co.uk>
On Wed, Jul 21, 2010 at 01:46:38PM +0200, Julian Reschke wrote: (...) > On 19.07.2010 23:13, Willy Tarreau wrote: > > ... > > or also "not acceptable" ? > > ... > > That would create confusion with the Accept header and status code 406. Good point! Let's forget this one then. (...) > OK, so: > > 401 -> you can't do this because you haven't authenticated > > 403 -> this is forbidden for you, but authenticating as somebody else > may help > > 405 -> this method is not allowed/supported/applicable for this resource > > The use case you mentioned is interesting and came up before: what's a > good way to signal to non-authenticated users that authenticating might > give access to more operations? "Vary: Authorization" comes to mind. But > that still would require the "public" server to know about the > "authoring" server, in which case it might be possible to properly > return information about method support... Anyway, it still leaves open the expected behaviour on the client. What should a client do when facing such a response which indicates that (re-)authenticating as a different user *may* help satisfy the condition ? Regards, Willy
Received on Wednesday, 21 July 2010 12:43:54 UTC