Branko Čibej wrote:
> Ben Collins-Sussman wrote:
>
>>
>> On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:
>>
>>> Hi!
>>> May be miss something, but I don't understand why subversion
>>> (mod_svn_authz) replies http error 401 (authorization failed) on
>>> access denied, instead of 403 (forbidden)? My opinion that 401 means
>>> that user provided invalid login/password pair, while 403 that user
>>> provided valid login/password but have no access to this area. Correct
>>> my if I wrong.
>>
>>
>>
>>
>> If the user provided invalid login/password, then *authentication*
>> failed. If the access was denied to a specific path, then
>> *authorization* failed.
>>
>> authentication == establishment of identity
>> authorization == checking of permissions
>>
>> The problem is that apache 2.0 muddles these two concepts together,
>> referring to them both as "auth". I think apache 2.2 has a new
>> architecture that tries to separate the ideas cleanly.
>>
>> In any case, if permissions are incorrect, then authorization has
>> certainly failed. It just also happens that apache also returns
>> that error when authentication fails too. :-/
>
>
> It happens that mod_authz_svn returns HTTP_UNAUTHORIZED in
> auth_checker when it should actually return HTTP_FORBIDDEN. And at the
> same time, it writes "Access forbidden" in the log. Weird.
Um. "Access denied".
Anyway, mod_authz_svn never does authenitcation, so it's wrong to return
HTTP_UNAUTHORIZED anywhere.
-- Brane
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 1 21:40:19 2005