- From: Werner Baumann <werner.baumann@onlinehome.de>
- Date: Sun, 25 May 2008 11:54:56 +0200
- CC: WebDAV <w3c-dist-auth@w3.org>
Helge Hess wrote: > Summary: even if the user is authenticated, one would reissue a 401 if > access is denied to a resource. Which makes me wonder in what (real > world) situations one would use 403 then. > Access restrictions based on IP-address might cause a 403, for instance. Basically: - 401 says: authenticate and the request will succeed - 403 says: denied, and authentication will not help. Actually, RFC 2616 says: 401 Unauthorized it is *not* "401 for access-denied" > Actually in the real world having to send a 401 for access-denied will > probably confuse almost any client. It will _clear_ authentication in > almost any (in fact many webapps rely on that for the 401-logout-hack). > I only know about HTTP-Basic- and HTTP-Digest-authentication. In this cases the client will include authentication information with every request. A 401 response includes information about the realm of authentication. A client will either repeat the request with authentication information included, or give up, if it can't authenticate for that realm. In practice: servers may require different authentication for different parts of their resources. A new request from the client may leave one realm of authentication and enter another one (e.g. some directory is only allowed for authenticated users; within this is an area only allowed for administrators). > Also: RFC 3744 contradicts with that? Eg it says (3. Privileges): > http://webdav.org/specs/rfc3744.html#privileges > > 'Servers must report a 403 "Forbidden" error if access is denied' > > The whole RFC goes like this. > I never cared about RFC 3744. But at first sight, this looks like not being related to HTTP-authentication, but to be specific to privileges, ACEs and whatsoever defined in RFC 3744. It probably only makes sense when read within this context. Werner
Received on Sunday, 25 May 2008 09:55:38 UTC