[aerogear-dev] [auth] 401 vs. 403
Matthias Wessendorf
matzew at apache.org
Tue Oct 2 07:08:31 EDT 2012
Hi,
I think they return 403 since they (like us) lack the WWW-Authenticate header.
Which is required on 401:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
-M
On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew at apache.org> wrote:
> Hi,
>
> I noticed that with Amazon's S3 (for instance) they return 403 when
> you are not authorized. Not really sure, but forbidden (403) is
> perhaps fine when accessing a protected REST endpoint (versus 401) ?
>
> Thoughts?
>
> -Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
More information about the aerogear-dev
mailing list