On 9/1/05, Ben Collins-Sussman <sussman@collab.net> wrote:
>
> On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:
>
> > Hi!
> > May be miss something, but I don't understand why subversion
> > (mod_svn_authz) replies http error 401 (authorization failed) on
> > access denied, instead of 403 (forbidden)? My opinion that 401 means
> > that user provided invalid login/password pair, while 403 that user
> > provided valid login/password but have no access to this area. Correct
> > my if I wrong.
> If the user provided invalid login/password, then *authentication*
> failed. If the access was denied to a specific path, then
> *authorization* failed.
> authentication == establishment of identity
> authorization == checking of permissions
I am not apache and http expert, so feel free to correct me.
W3 rfc says http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
[begin quote]
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource. The client MAY repeat the
request with a suitable Authorization header field (section 14.8). If
the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might include
relevant diagnostic information. HTTP access authentication is
explained in "HTTP Authentication: Basic and Digest Access
Authentication"
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated. If
the request method was not HEAD and the server wishes to make public
why the request has not been fulfilled, it SHOULD describe the reason
for the refusal in the entity. If the server does not wish to make
this information available to the client, the status code 404 (Not
Found) can be used instead.
[end quote]
So is it right to reply 401 on invalid login/password and 403 when
access to some area denied?
> The problem is that apache 2.0 muddles these two concepts together,
> referring to them both as "auth". I think apache 2.2 has a new
> architecture that tries to separate the ideas cleanly.
>
> In any case, if permissions are incorrect, then authorization has
> certainly failed. It just also happens that apache also returns that
> error when authentication fails too. :-/
As I understand 401 error should be generated by my auth_ldap module,
and 403 should be generated by mod_svn_authz. But in code I see that
mod_svn_authz appear as access_check and auth_checker. Why?
Sorry for possible stupid questions.
--
Ivan Zhakov
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 1 16:14:08 2005