[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: http error on access denied

From: Ivan Zhakov <chemodax_at_gmail.com>
Date: 2005-09-02 13:00:36 CEST

On 9/2/05, Branko ╚ibej <brane@xbc.nu> wrote:> Ivan Zhakov wrote:> > >On 9/1/05, Branko ╚ibej <brane@xbc.nu> wrote:> >> >> >>Branko ╚ibej wrote:> >>> >>> >>> >>>Ben Collins-Sussman wrote:> >>>> >>>> >>>> >>>>On Sep 1, 2005, at 8:19 AM, Ivan Zhakov wrote:> >>>>> >>>>> >>>>> >>>>>Hi!> >>>>>May be miss something, but I don't understand why subversion> >>>>>(mod_svn_authz) replies http error 401 (authorization failed) on> >>>>>access denied, instead of 403 (forbidden)? My opinion that 401 means> >>>>>that user provided invalid login/password pair, while 403 that user> >>>>>provided valid login/password but have no access to this area. Correct> >>>>>my if I wrong.> >>>>>> >>>>>> >>>>> >>>>> >>>>If the user provided invalid login/password, then *authentication*> >>>>failed. If the access was denied to a specific path, then> >>>>*authorization* failed.> >>>>> >>>> authentication == establishment of identity> >>>> authorization == checking of permissions> >>>>> >>>>The problem is that apache 2.0 muddles these
two concepts together,> >>>>referring to them both as "auth". I think apache 2.2 has a new> >>>>architecture that tries to separate the ideas cleanly.> >>>>> >>>>In any case, if permissions are incorrect, then authorization has> >>>>certainly failed. It just also happens that apache also returns> >>>>that error when authentication fails too. :-/> >>>>> >>>>> >>>It happens that mod_authz_svn returns HTTP_UNAUTHORIZED in> >>>auth_checker when it should actually return HTTP_FORBIDDEN. And at the> >>>same time, it writes "Access forbidden" in the log. Weird.> >>>> >>>> >>Um. "Access denied".> >>> >>Anyway, mod_authz_svn never does authenitcation, so it's wrong to return> >>HTTP_UNAUTHORIZED anywhere.> >>> >>> >But it does subversion\mod_authz_svn\mod_authz_svn.c(447) in function> >auth_checker():> > return HTTP_UNAUTHORIZED;> >> >Possibly this should be changed to HTTP_FORBIDDEN as in function> >access_checker()?> >> >> That's what I said.Great! I'll wait when it will be fixed.
-- Ivan Zhakov
Received on Fri Sep 2 13:01:22 2005

This is an archived mail posted to the Subversion Dev mailing list.