Re: 403/401 for access denied Re: Thoughts on relation to WebDAV

Helge Hess wrote:
> On 25.05.2008, at 11:54, Werner Baumann wrote:
>> Actually, RFC 2616 says:
>> 401 Unauthorized
>> it is *not* "401 for access-denied"
> 
> I was surprised, but the RFC actually says that: "If the request already 
> included Authorization credentials, then the 401 response indicates that 
> authorization has been refused for those credentials."
> 
> This is access-denied (the user is authenticated, but not authorized).
>
NO! It isn't. it is still "Unauthorized" and nothing else.
The server does not accept the credentials and wants the proper ones. As 
HTTP is stateless, the server server will repeat this until the user 
finally gets either the proper credentials or tired. Whether the client 
stops this at some point or waits for the user to get tired is a client 
issue, not a protocol issue.

>>> Actually in the real world having to send a 401 for access-denied 
>>> will probably confuse almost any client. It will _clear_ 
>>> authentication in almost any (in fact many webapps rely on that for 
>>> the 401-logout-hack).
>>>
>> I only know about HTTP-Basic- and HTTP-Digest-authentication. In this 
>> cases the client will include authentication information with every 
>> request.
> [cut]
> 
> Yes. The problem is that according to the spec 401 is to be used for 
> access denied.
>
Where does the spec say this?

Werner

Received on Sunday, 25 May 2008 19:12:14 UTC