403/401 for access denied Re: Thoughts on relation to WebDAV from Helge Hess on 2008-05-25 (w3c-dist-auth@w3.org from April to June 2008)

From: Helge Hess <helge.hess@opengroupware.org>
Date: Sun, 25 May 2008 10:11:01 +0200
To: WebDAV <w3c-dist-auth@w3.org>
Message-Id: <72594CE2-67F7-421E-8616-021E9C55C29B@opengroupware.org>

On 24.05.2008, at 18:13, Werner Baumann wrote:
> BTW: 403 Forbidden is *not* related to authorization; that's 401.


You are right! Weird, I always got this wrong. (RFC 2616,  
10.4.2/10.4.4 explicitly states what you say).

Summary: even if the user is authenticated, one would reissue a 401 if  
access is denied to a resource. Which makes me wonder in what (real  
world) situations one would use 403 then.

Actually in the real world having to send a 401 for access-denied will  
probably confuse almost any client. It will _clear_ authentication in  
almost any (in fact many webapps rely on that for the 401-logout-hack).

Also: RFC 3744 contradicts with that? Eg it says (3. Privileges):
   http://webdav.org/specs/rfc3744.html#privileges

   'Servers must report a 403 "Forbidden" error if access is denied'

The whole RFC goes like this.

I'm confused ;-/

Thanks,
   Helge

Received on Sunday, 25 May 2008 08:11:45 UTC