[aerogear-dev] [auth] 401 vs. 403

Kris Borchers kris at redhat.com
Tue Oct 2 08:37:16 EDT 2012 

To be honest, I don't remember the full discussion either but I am only concerned with 401 on the login endpoint. If we did 403 with WWW-Authenticate header, I would be ok with that. I think I remember fighting for 401 over 403 because I needed to know it was an auth error so if it's 403 and there is a WWW-Authenticate header, then I would know it's an auth error.

If that is the proper way, then I will make it work on the JS side. I am all for making the JS side "easier" but not at the expense of doing things in a way people don't expect.

Thoughts?

On Oct 2, 2012, at 6:42 AM, Bruno Oliveira <bruno at abstractj.org> wrote:

> For some reason that I don't remember now, we discussed about 401 x 403 when the REST authentication API was sent, people decided for 401.
> 
> I'm not picky on it because this is easy to change and only related to our TODO. We discussed about authentication methods like amazon s3 in the past https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md
> 
> We have tons of changes to do now, my only concern at the current TODO app was to get it done to j1.
> 
> 
> -- 
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
> On Tuesday, October 2, 2012 at 8:08 AM, Matthias Wessendorf wrote:
> 
>> Hi,
>> 
>> I think they return 403 since they (like us) lack the WWW-Authenticate header.
>> 
>> Which is required on 401:
>> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
>> 
>> -M
>> 
>> On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew at apache.org> wrote:
>>> Hi,
>>> 
>>> I noticed that with Amazon's S3 (for instance) they return 403 when
>>> you are not authorized. Not really sure, but forbidden (403) is
>>> perhaps fine when accessing a protected REST endpoint (versus 401) ?
>>> 
>>> Thoughts?
>>> 
>>> -Matthias
>>> 
>>> --
>>> Matthias Wessendorf
>>> 
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>> 
>> 
>> 
>> --
>> Matthias Wessendorf
>> 
>> blog: http://matthiaswessendorf.wordpress.com/
>> sessions: http://www.slideshare.net/mwessendorf
>> twitter: http://twitter.com/mwessendorf
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20121002/c1ff17ee/attachment-0001.html

More information about the aerogear-dev mailing list