Bug 40721 - 401 vs 403 in httpd
Summary: 401 vs 403 in httpd
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_auth (show other bugs)
Version: 2.5-HEAD
Hardware: Other other
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
: 37287 50257 (view as bug list)
Depends on:
Reported: 2006-10-11 01:17 UTC by jfclere
Modified: 2012-02-26 16:42 UTC (History)
2 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description jfclere 2006-10-11 01:17:43 UTC
httpd authorisation should return 403 instead of 401,
for example when a user is already authenticated but does not have the
rights to access to a page.
For example in this case:
[Mon Oct 02 11:04:57 2006] [error] [client] access to /titu/
failed, reason: user 'jfclere' does not meet 'require'ments for user to
be allowed access
[Mon Oct 02 11:04:57 2006] [error] [client] user jfclere:
authorization failure for "/titu/":
Instead 403 httpd asks again for authentication.
Comment 1 Nick Kew 2006-10-11 01:59:13 UTC
If the user is unauthorised but other credentials would authorise them, then a 
401 to prompt the user for that is correct.  See for example RFC2616, #10.4.2.
Comment 2 Christian BOITEL 2010-09-06 05:15:34 UTC
This is a very annoying thing for in some cases a 403 is a required behavior. 

If you look at it, there is no real true reason for hardcoding a 401 or a 403 response. Why not make the thing configurable instead ? A AuthzFailedReturnCode directory/location/server setting defaulting to 401 but allowing to return a 403 if required.
Comment 3 Stefan Fritsch 2010-12-04 08:17:00 UTC
*** Bug 50257 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Fritsch 2010-12-18 12:13:09 UTC
fixed in r1050677 by adding AuthzSendForbiddenOnFailure directive
Comment 5 Stefan Fritsch 2011-06-13 20:48:03 UTC
*** Bug 37287 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Fritsch 2012-02-26 16:42:12 UTC
fixed in 2.4.1