|Summary:||401 vs 403 in httpd|
|Product:||Apache httpd-2||Reporter:||jfclere <jfclere>|
|Component:||mod_auth||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description jfclere 2006-10-11 01:17:43 UTC
httpd authorisation should return 403 instead of 401, for example when a user is already authenticated but does not have the rights to access to a page. For example in this case: +++ [Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] access to /titu/ failed, reason: user 'jfclere' does not meet 'require'ments for user to be allowed access [Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] user jfclere: authorization failure for "/titu/": +++ Instead 403 httpd asks again for authentication.
Comment 1 Nick Kew 2006-10-11 01:59:13 UTC
If the user is unauthorised but other credentials would authorise them, then a 401 to prompt the user for that is correct. See for example RFC2616, #10.4.2.
Comment 2 Christian BOITEL 2010-09-06 05:15:34 UTC
This is a very annoying thing for in some cases a 403 is a required behavior. If you look at it, there is no real true reason for hardcoding a 401 or a 403 response. Why not make the thing configurable instead ? A AuthzFailedReturnCode directory/location/server setting defaulting to 401 but allowing to return a 403 if required.
Comment 3 Stefan Fritsch 2010-12-04 08:17:00 UTC
*** Bug 50257 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Fritsch 2010-12-18 12:13:09 UTC
fixed in r1050677 by adding AuthzSendForbiddenOnFailure directive
Comment 5 Stefan Fritsch 2011-06-13 20:48:03 UTC
*** Bug 37287 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Fritsch 2012-02-26 16:42:12 UTC
fixed in 2.4.1