Hi,
I think they return 403 since they (like us) lack the WWW-Authenticate header.
Which is required on 401:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47
-M
On Tue, Oct 2, 2012 at 12:56 PM, Matthias Wessendorf <matzew(a)apache.org> wrote:
Hi,
I noticed that with Amazon's S3 (for instance) they return 403 when
you are not authorized. Not really sure, but forbidden (403) is
perhaps fine when accessing a protected REST endpoint (versus 401) ?
Thoughts?
-Matthias
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf