[Catalyst] Re: Http Status Chart
Matt Lawrence
matt.lawrence at ymogen.net
Thu Mar 13 09:45:59 GMT 2008
Aristotle Pagaltzis wrote:
> * Andrew Rodland <arodland at comcast.net> [2008-03-12 05:55]:
>
>> Anyway, you get a 401 if the server doesn't know who you are,
>> and it thinks that if you were the right person you might be
>> able to perform that action. You get a 403 if you're not
>> allowed to do that despite who you may or may not be.
>>
>
> Exactly. 401 means “use a different set of credentials and try
> again”; 403 means “go away, you don’t get to see this.”
>
> So when would 403 happen? F.ex. if access to the resource is
> restricted to certain IP ranges, and you are requesting the
> resource from an IP outside of those. Or in case of Apache, you
> are asking for a URI that’s served from the file system, but the
> web server does not have permission to read that file. Or you
> request a URI with a trailing slash, but the corresponding
> directory has no `index.html` and the server is not configured
> to generate directory listings.
>
> Etc.
>
> Note that RFC 2616 also says that the web server is allowed
> to send 404 instead of 403 when it doesn’t want to reveal the
> existence of a particular resource to third parties.
>
>
The RFC also says that 401 responses MUST include a WWW-Authenticate
header field, implying that it is specifically related to HTTP-level
authentication. Is there a particular status code for denying access
based on application-level authentication, or should you just use 200
for that?
Matt
More information about the Catalyst
mailing list