- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sun, 25 May 2008 18:12:09 +0200
- To: Helge Hess <helge.hess@opengroupware.org>
- CC: WebDAV <w3c-dist-auth@w3.org>
Helge Hess wrote: > > On 24.05.2008, at 18:13, Werner Baumann wrote: >> BTW: 403 Forbidden is *not* related to authorization; that's 401. > > > You are right! Weird, I always got this wrong. (RFC 2616, 10.4.2/10.4.4 > explicitly states what you say). > > Summary: even if the user is authenticated, one would reissue a 401 if > access is denied to a resource. Which makes me wonder in what (real > world) situations one would use 403 then. That's incorrect. 401 means you need to authenticate. 403 means, you're not allowed to do what you want to do. > Actually in the real world having to send a 401 for access-denied will > probably confuse almost any client. It will _clear_ authentication in > almost any (in fact many webapps rely on that for the 401-logout-hack). > > Also: RFC 3744 contradicts with that? Eg it says (3. Privileges): > http://webdav.org/specs/rfc3744.html#privileges > > 'Servers must report a 403 "Forbidden" error if access is denied' > > The whole RFC goes like this. > > I'm confused ;-/ The RFC is right. 403 means "forbidden". BR, Julian
Received on Sunday, 25 May 2008 16:13:33 UTC