Users with different access rights in HTTP Authentication

I have run into a situation where I don't believe the HTTP specification 
is clear so I was hoping that folks here might be able to weigh in on 
what the correct approach might be.

Imagine that I have a resource at some HTTP URL. This resource supports 
the GET, PUT and DELETE methods.

In response to a request with any of those three methods, the resource 
returns a valid 401 Unauthorized response containing a challenge.

If I recieve a request that has valid authentication credentials for a 
user that only has access rights to read and not to modify the resource, 
what is the appropriate response status code to use when that request 
uses the PUT or DELETE methods?

Here are some options I've been considering:

* Return 405 Method Not Allowed, and indicate in the "Allow" response 
header the methods that this particular authenticated user is allowed to 
perform. (i.e. Allow: GET)

* Return 403 Forbidden, indicating that the authentication was 
successful and that this method is supported but this particular client 
is not allowed perform the request. The "Allow" response header here 
will have the value "GET, PUT, DELETE".

* Return 401 Unauthorized with another challenge, indicating that the 
supplied credentials are not acceptable for this resource. This of 
course means that the client is unable to distinguish between an invalid 
credentials error and an insufficient access error.

I'd be interested to hear some feedback on which of these approaches 
would be best, or indeed recieve any suggestions on alternative 
approaches that work better with web architecture.

Thanks,
Martin

Received on Friday, 20 February 2009 22:37:53 UTC