Re: WGLC #357: Authentication Exchanges

On 2012-06-20 10:36, Yutaka OIWA wrote:
> Dear Amos and Mark,
>
>> A server receiving credentials that are valid, but not adequate to gain access, ought to respond with the 403 (Forbidden) status code.
>
> I have a different understanding on the use of 401/403 statuses.
> At least on current implementations (e.g. Apache),
> auth-succeed and authz-failed status will be represented by
> 401-status instead of 403.
> 403 status is used, for example, when the content is
> not accessible by underlying filesystem permissions,
> or by server configuration for denying directory listing.
>
> I think this (use 401 instead of 403) should be kept for two reasons:
>
>   * Without 401 status, client will not know that changing
>      the user name and the password will solve the
>      inaccessibility issue.

Sorry?

"The server understood the request, but refuses to authorize it. 
Providing different user authentication credentials might be successful, 
but any credentials that were provided in the request are insufficient. 
The request SHOULD NOT be repeated with the same credentials." - 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.7.4.3>

 > ...

Best regards, Julian

Received on Wednesday, 20 June 2012 09:24:57 UTC