[aerogear-dev] [auth] 401 vs. 403

[Bruno Oliveira]

For some reason that I don't remember now, we discussed about 401 x 403 when the REST authentication API was sent, people decided for 401. 

I'm not picky on it because this is easy to change and only related to our TODO. We discussed about authentication methods like amazon s3 in the past https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md

We have tons of changes to do now, my only concern at the current TODO app was to get it done to j1. 


-- 
"The measure of a man is what he does with power" - Plato
-
@abstractj
-
Volenti Nihil Difficile



On Tuesday, October 2, 2012 at 8:08 AM, Matthias Wessendorf wrote:

> Hi,
> 
> I think they return 403 since they (like us) lack the WWW-Authenticate header.
> 
> Which is required on 401:
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
> 
> -M
> 
> On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew at apache.org (mailto:matzew at apache.org)> wrote:
> > Hi,
> > 
> > I noticed that with Amazon's S3 (for instance) they return 403 when
> > you are not authorized. Not really sure, but forbidden (403) is
> > perhaps fine when accessing a protected REST endpoint (versus 401) ?
> > 
> > Thoughts?
> > 
> > -Matthias
> > 
> > --
> > Matthias Wessendorf
> > 
> > blog: http://matthiaswessendorf.wordpress.com/
> > sessions: http://www.slideshare.net/mwessendorf
> > twitter: http://twitter.com/mwessendorf
> > 
> 
> 
> 
> 
> -- 
> Matthias Wessendorf
> 
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org (mailto:aerogear-dev at lists.jboss.org)
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20121002/13070e57/attachment.html