Ben Collins-Sussman wrote:
>
> On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:
>
>> Hi!
>> May be miss something, but I don't understand why subversion
>> (mod_svn_authz) replies http error 401 (authorization failed) on
>> access denied, instead of 403 (forbidden)? My opinion that 401 means
>> that user provided invalid login/password pair, while 403 that user
>> provided valid login/password but have no access to this area. Correct
>> my if I wrong.
>
>
>
> If the user provided invalid login/password, then *authentication*
> failed. If the access was denied to a specific path, then
> *authorization* failed.
>
> authentication == establishment of identity
> authorization == checking of permissions
>
> The problem is that apache 2.0 muddles these two concepts together,
> referring to them both as "auth". I think apache 2.2 has a new
> architecture that tries to separate the ideas cleanly.
>
> In any case, if permissions are incorrect, then authorization has
> certainly failed. It just also happens that apache also returns that
> error when authentication fails too. :-/
It happens that mod_authz_svn returns HTTP_UNAUTHORIZED in auth_checker
when it should actually return HTTP_FORBIDDEN. And at the same time, it
writes "Access forbidden" in the log. Weird.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 1 21:39:19 2005