- From: Martin Atkins <mart@degeneration.co.uk>
- Date: Fri, 20 Feb 2009 14:37:13 -0800
- To: www-talk@w3.org
I have run into a situation where I don't believe the HTTP specification is clear so I was hoping that folks here might be able to weigh in on what the correct approach might be. Imagine that I have a resource at some HTTP URL. This resource supports the GET, PUT and DELETE methods. In response to a request with any of those three methods, the resource returns a valid 401 Unauthorized response containing a challenge. If I recieve a request that has valid authentication credentials for a user that only has access rights to read and not to modify the resource, what is the appropriate response status code to use when that request uses the PUT or DELETE methods? Here are some options I've been considering: * Return 405 Method Not Allowed, and indicate in the "Allow" response header the methods that this particular authenticated user is allowed to perform. (i.e. Allow: GET) * Return 403 Forbidden, indicating that the authentication was successful and that this method is supported but this particular client is not allowed perform the request. The "Allow" response header here will have the value "GET, PUT, DELETE". * Return 401 Unauthorized with another challenge, indicating that the supplied credentials are not acceptable for this resource. This of course means that the client is unable to distinguish between an invalid credentials error and an insufficient access error. I'd be interested to hear some feedback on which of these approaches would be best, or indeed recieve any suggestions on alternative approaches that work better with web architecture. Thanks, Martin
Received on Friday, 20 February 2009 22:37:53 UTC