Re: http error on access denied

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2005-09-01 15:48:43 CEST

On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:

> Hi!
> May be miss something, but I don't understand why subversion
> (mod_svn_authz) replies http error 401 (authorization failed) on
> access denied, instead of 403 (forbidden)? My opinion that 401 means
> that user provided invalid login/password pair, while 403 that user
> provided valid login/password but have no access to this area. Correct
> my if I wrong.

If the user provided invalid login/password, then *authentication*
failed. If the access was denied to a specific path, then
*authorization* failed.

authentication == establishment of identity
authorization == checking of permissions

The problem is that apache 2.0 muddles these two concepts together,
referring to them both as "auth". I think apache 2.2 has a new
architecture that tries to separate the ideas cleanly.

In any case, if permissions are incorrect, then authorization has
certainly failed. It just also happens that apache also returns that
error when authentication fails too. :-/

-- 
www.collab.net  <>  CollabNet  |  Distributed Development On Demand
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Thu Sep 1 15:49:50 2005

This message: [ Message body ]
Next message: David James: "Re: Source download with known-working dependency sources?"
Previous message: Ivan Zhakov: "http error on access denied"
In reply to: Ivan Zhakov: "http error on access denied"
Next in thread: Ivan Zhakov: "Re: http error on access denied"
Reply: Ivan Zhakov: "Re: http error on access denied"
Reply: Branko Čibej: "Re: http error on access denied"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]