[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: http error on access denied

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2005-09-01 15:48:43 CEST

On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:

> Hi!
> May be miss something, but I don't understand why subversion
> (mod_svn_authz) replies http error 401 (authorization failed) on
> access denied, instead of 403 (forbidden)? My opinion that 401 means
> that user provided invalid login/password pair, while 403 that user
> provided valid login/password but have no access to this area. Correct
> my if I wrong.

If the user provided invalid login/password, then *authentication*
failed. If the access was denied to a specific path, then
*authorization* failed.

    authentication == establishment of identity
    authorization == checking of permissions

The problem is that apache 2.0 muddles these two concepts together,
referring to them both as "auth". I think apache 2.2 has a new
architecture that tries to separate the ideas cleanly.

In any case, if permissions are incorrect, then authorization has
certainly failed. It just also happens that apache also returns that
error when authentication fails too. :-/

-- 
www.collab.net  <>  CollabNet  |  Distributed Development On Demand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 1 15:49:50 2005

This is an archived mail posted to the Subversion Dev mailing list.