httpd authorisation should return 403 instead of 401, for example when a user is already authenticated but does not have the rights to access to a page. For example in this case: +++ [Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] access to /titu/ failed, reason: user 'jfclere' does not meet 'require'ments for user to be allowed access [Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] user jfclere: authorization failure for "/titu/": +++ Instead 403 httpd asks again for authentication.
If the user is unauthorised but other credentials would authorise them, then a 401 to prompt the user for that is correct. See for example RFC2616, #10.4.2.
This is a very annoying thing for in some cases a 403 is a required behavior. If you look at it, there is no real true reason for hardcoding a 401 or a 403 response. Why not make the thing configurable instead ? A AuthzFailedReturnCode directory/location/server setting defaulting to 401 but allowing to return a 403 if required.
*** Bug 50257 has been marked as a duplicate of this bug. ***
fixed in r1050677 by adding AuthzSendForbiddenOnFailure directive
*** Bug 37287 has been marked as a duplicate of this bug. ***
fixed in 2.4.1