39
When designing an application, it is common for me to be in doubt as to which HTTP code to return when a user does not have access to a certain resource: if it is 401 Unauthorized or if it is 403 Forbidden.
I wanted a clear explanation as to the difference between the two.
31
It occurs when access to the server resource requires authentication - through the header WWW-Authenticate - and this failure for some reason (lack of credential or invalid credential). Client trying to connect server can try a new request with a more appropriate credential. If a new attempt is made by the same agent with the same credentials the server must provide more relevant information for the user to understand what is happening.
The semantics to be understood here is that valid authentication is missing, that’s all.
It occurs when the server refuses to grant the request because of some rule that determines the denial of access. The client should not try again even with credentials since the denial did not occur because the client failed, nor for something that can be solved on the server on its own. The server can give further information if the attempt is made with a method HEAD. This information must describe the reason for the denial. If he does not wish to give more information then the error code to be exchanged by 404 Not Found.
The semantics here is that no independent access authorization has been given.
Though I’m not strictly correct according to RFC, some servers are configured to only respond 404 Not Found in either case. This follows the principle of obscurity.
If you consider that authentication via HTTP has fallen out of use in most applications; and that knowing if the resource does not exist or you can not access, in the background gives in the same; in a pragmatic approach it makes sense to set aside these two error codes.
Of course there may be cases to use the recommendation but you need to know when. The creative and responsible use of the codes is not something inherently bad. REST is a case where one uses a lot, and there are endless discussions about which one to use in each case.
In my opinion it is the most complete answer. Sanou my doubts :)
I answered because I realized the others were missing something :)
Yes, there was a good answer, although I answered technical things that really weren’t in the question. But all information is welcome :) and this time without belittling the other answers.
I do not infer other answers, I comment on answers that depreciate with existing errors. Letting existing mistakes pass without commenting on anything is a detriment to the whole community. Mistakes should be pointed, not thrown under the carpet. I know a lot of people think the concern should be with the individual, I think the concern should be with the community.
I agree with you, unfortunately although you have not belittled at this time you still seek to distort things a little, but I will not get into discussion, I just praised the good answer and its improvement in behaving before the other answers. : ) So long.
18
Error 401 refers only to authentication, but does not treat authorization.
Error 401 will be returned when the system fails to identify the user, while error 403 when the system can identify the user, but detect that it does not have permission for that content.
straight and simple!
13
Is similar to 403 Forbidden, but we use it specifically when an authentication is required and it fails or is not done. It is usually used with HTTP Basic Authentication
It may be a restricted area, the request is considered valid, but the server refuses to answer it. Other than 401 Unauthorized which will require an authentication.
4
There are two important concepts that I explain below. But since the name of error 401 is "unauthorized", when it should actually be "not authenticated", this kind of confusion occurs.
Authentication is the process that aims to identify whosoever is the user. In other words, if the user is "logged in" he is authenticated.
Authorization is the process that aims to identify a user you have permission to perform an operation. Naturally, it depends on authentication because there is no way to know if a user can do something without knowing who that user is (without being logged in).
This error only indicates whether the user is authenticated or not, although the error name is "unauthorized", which confuses a lot. So forget the name because the correct name should be "401 - Unauthenticated (Not authenticated)".
This yes indicates that the server knows who the user is (ie he is logged in), but the user is not allowed to access the requested resource (so the name Forbidden (Forbidden)).
In short, the whole problem of confusion occurs due to the inappropriate name of error 401!
Source: SOF
Browser other questions tagged http http-status
You are not signed in. Login or sign up in order to post.
+1 by question. I have the same doubt :)
– Wallace Maxters