- From: Helge Hess <helge.hess@opengroupware.org>
- Date: Sun, 25 May 2008 21:01:43 +0200
- To: WebDAV <w3c-dist-auth@w3.org>
On 25.05.2008, at 18:18, Julian Reschke wrote: >> Access restrictions based on IP-address might cause a 403, for >> instance. Basically: >> - 401 says: authenticate and the request will succeed > Nope. It means: "authenticate, and the request will not fail again > with 401. But potentially in a different way". Why? It explicitly states that it may fail again with 401, if *authorization* fails for the *authenticated* user: ---snip:10.4.2--- If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. ---snap--- >> - 403 says: denied, and authentication will not help. > Exactly. It says: "Authorization will not help". http://www.duke.edu/~rob/kerberos/authvauth.html Anyways, not really relevant. So what to do, there is resource /addressbook/donald.vcf. User 'mickey' is authenticated for the relevant domain but is not authorized to access that specific resource. User 'dagobert' *is* authorized to access donald.vcf, so (re-)authentication with different credentials would help. Given that 403 says "Authorization will not help" and 401 says "If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused", I would derive that mickey should get a 401. It seems a bit weird to me from a practical point of view, but can it actually be read in a different way? Thanks, Helge
Received on Sunday, 25 May 2008 19:04:31 UTC