[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: http error on access denied

From: Branko Čibej <brane_at_xbc.nu>
Date: 2005-09-02 12:45:34 CEST

Ivan Zhakov wrote:

>On 9/1/05, Branko Čibej <brane@xbc.nu> wrote:
>
>
>>Branko Čibej wrote:
>>
>>
>>
>>>Ben Collins-Sussman wrote:
>>>
>>>
>>>
>>>>On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:
>>>>
>>>>
>>>>
>>>>>Hi!
>>>>>May be miss something, but I don't understand why subversion
>>>>>(mod_svn_authz) replies http error 401 (authorization failed) on
>>>>>access denied, instead of 403 (forbidden)? My opinion that 401 means
>>>>>that user provided invalid login/password pair, while 403 that user
>>>>>provided valid login/password but have no access to this area. Correct
>>>>>my if I wrong.
>>>>>
>>>>>
>>>>
>>>>
>>>>If the user provided invalid login/password, then *authentication*
>>>>failed. If the access was denied to a specific path, then
>>>>*authorization* failed.
>>>>
>>>> authentication == establishment of identity
>>>> authorization == checking of permissions
>>>>
>>>>The problem is that apache 2.0 muddles these two concepts together,
>>>>referring to them both as "auth". I think apache 2.2 has a new
>>>>architecture that tries to separate the ideas cleanly.
>>>>
>>>>In any case, if permissions are incorrect, then authorization has
>>>>certainly failed. It just also happens that apache also returns
>>>>that error when authentication fails too. :-/
>>>>
>>>>
>>>It happens that mod_authz_svn returns HTTP_UNAUTHORIZED in
>>>auth_checker when it should actually return HTTP_FORBIDDEN. And at the
>>>same time, it writes "Access forbidden" in the log. Weird.
>>>
>>>
>>Um. "Access denied".
>>
>>Anyway, mod_authz_svn never does authenitcation, so it's wrong to return
>>HTTP_UNAUTHORIZED anywhere.
>>
>>
>But it does subversion\mod_authz_svn\mod_authz_svn.c(447) in function
>auth_checker():
> return HTTP_UNAUTHORIZED;
>
>Possibly this should be changed to HTTP_FORBIDDEN as in function
>access_checker()?
>
>
That's what I said.

-- Brane

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Sep 2 12:46:29 2005

This is an archived mail posted to the Subversion Dev mailing list.