Re: http error on access denied

On 9/1/05, Branko Èibej <brane@xbc.nu> wrote:> Branko Èibej wrote:> > > Ben Collins-Sussman wrote:> >> >>> >> On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:> >>> >>> Hi!> >>> May be miss something, but I don't understand why subversion> >>> (mod_svn_authz) replies http error 401 (authorization failed) on> >>> access denied, instead of 403 (forbidden)? My opinion that 401 means> >>> that user provided invalid login/password pair, while 403 that user> >>> provided valid login/password but have no access to this area. Correct> >>> my if I wrong.> >>> >>> >>> >>> >> If the user provided invalid login/password, then *authentication*> >> failed. If the access was denied to a specific path, then> >> *authorization* failed.> >>> >> authentication == establishment of identity> >> authorization == checking of permissions> >>> >> The problem is that apache 2.0 muddles these two concepts together,> >> referring to them both as "auth". I think apache 2.2 has a new> >> architecture that tries to separate the idea
s cleanly.> >>> >> In any case, if permissions are incorrect, then authorization has> >> certainly failed. It just also happens that apache also returns> >> that error when authentication fails too. :-/> >> >> > It happens that mod_authz_svn returns HTTP_UNAUTHORIZED in> > auth_checker when it should actually return HTTP_FORBIDDEN. And at the> > same time, it writes "Access forbidden" in the log. Weird.> > Um. "Access denied".> > Anyway, mod_authz_svn never does authenitcation, so it's wrong to return> HTTP_UNAUTHORIZED anywhere.But it does subversion\mod_authz_svn\mod_authz_svn.c(447) in functionauth_checker(): return HTTP_UNAUTHORIZED;
Possibly this should be changed to HTTP_FORBIDDEN as in functionaccess_checker()?
-- Ivan Zhakov
Received on Fri Sep 2 12:34:44 2005