[aerogear-dev] [auth] 401 vs. 403
Matthias Wessendorf
matzew at apache.org
Tue Oct 2 09:04:26 EDT 2012
Hi,
On Tue, Oct 2, 2012 at 2:37 PM, Kris Borchers <kris at redhat.com> wrote:
> To be honest, I don't remember the full discussion either but I am only
> concerned with 401 on the login endpoint. If we did 403 with
> WWW-Authenticate header, I would be ok with that. I think I remember
> fighting for 401 over 403 because I needed to know it was an auth error so
> if it's 403 and there is a WWW-Authenticate header, then I would know it's
> an auth error.
IMO WWW-Authenticate on 403 is wrong.
However, WWW-Authenticate MUST be included on 401 (according to the RFC)
Regarding endpoints:
* 'service endpoint' (e.g. /projects, /tasks etc)
==> I think I like what amazon does, they give back 403 with NO
WWW-Authenticate header, and tell you 'denied'. IMO that's correct for
'service endpoints', which are protected and you don't provide the
_valid_ token
* login endpoint:
I think that 401 fits fine here, right ?
(which perhaps... should include the WWW-Authenticate on that 401)
NOTE: I don't want to change the current design, as it was already
discussed - but just raising some items, while doing a deeper dive on
'auth', because of native iOS
-Matthias
>
> If that is the proper way, then I will make it work on the JS side. I am all
> for making the JS side "easier" but not at the expense of doing things in a
> way people don't expect.
>
> Thoughts?
>
> On Oct 2, 2012, at 6:42 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
>
> For some reason that I don't remember now, we discussed about 401 x 403 when
> the REST authentication API was sent, people decided for 401.
>
> I'm not picky on it because this is easy to change and only related to our
> TODO. We discussed about authentication methods like amazon s3 in the past
> https://github.com/abstractj/aerogear-security/blob/deltaspike/README.md
>
> We have tons of changes to do now, my only concern at the current TODO app
> was to get it done to j1.
>
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
> On Tuesday, October 2, 2012 at 8:08 AM, Matthias Wessendorf wrote:
>
> Hi,
>
> I think they return 403 since they (like us) lack the WWW-Authenticate
> header.
>
> Which is required on 401:
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
>
> -M
>
> On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew at apache.org>
> wrote:
>
> Hi,
>
> I noticed that with Amazon's S3 (for instance) they return 403 when
> you are not authorized. Not really sure, but forbidden (403) is
> perhaps fine when accessing a protected REST endpoint (versus 401) ?
>
> Thoughts?
>
> -Matthias
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
>
>
>
>
> --
> Matthias Wessendorf
>
> blog: http://matthiaswessendorf.wordpress.com/
> sessions: http://www.slideshare.net/mwessendorf
> twitter: http://twitter.com/mwessendorf
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
--
Matthias Wessendorf
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
More information about the aerogear-dev
mailing list