- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 20 Jun 2012 12:29:53 +0200
- To: Yutaka OIWA <y.oiwa@aist.go.jp>
- CC: Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
On 2012-06-20 12:08, Yutaka OIWA wrote: > Dear Julian, > > 2012/6/20 Julian Reschke <julian.reschke@gmx.de>: >>> I think this (use 401 instead of 403) should be kept for two reasons: >>> >>> * Without 401 status, client will not know that changing >>> the user name and the password will solve the >>> inaccessibility issue. >> >> >> Sorry? >> >> "The server understood the request, but refuses to authorize it. Providing >> different user authentication credentials might be successful, but any >> credentials that were provided in the request are insufficient. The request >> SHOULD NOT be repeated with the same credentials." - >> <http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-19.html#rfc.section.7.4.3> > > I see. I noticed now that this was changed incompatibly from RFC 2616. > Thank you for telling me. Context: <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/294> > Now I have a concern with the text for 403 status for two reasons, > * any recovery from failed authorization (with successful authentication) > is completely out of the protocol's provision, and > * the new definition is intentionally breaking existing server implementations. How so? Example? > ... Best regards, Julian
Received on Wednesday, 20 June 2012 10:30:33 UTC