401 vs 403 on authorisation failure

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

401 vs 403 on authorisation failure

bradmacnz
I've just added that check to send a 403 response if there is an authenticated user, but authorisation has failed (or a not auth exception has been thrown)

And will send a 401 if authentication fails, or for any anonymous request.

I vaguely remember something about Windows XP choking on 403's, but who uses that anymore. And if it is a problem for anyone I can make the 403 conditional on the user agent.

/Brad




En Réponse à Brad McEvoy [hidden email] le 18 févr. 2014 20:37

Hi Ben,

This is probably something that milton should deal with.

So just to confirm the situation, your users can perform read
operations, so GET, PROPFIND etc return normally. But if they attempt a
PUT, DELETE, MKCOL, etc the operation should return a 403 - correct?

I seem to remember there was a problem with early webdav clients which
only handled 401's and 403's caused a problem. But I could look at
improving that now. We could easily return a 401 if authentication
failed and 403 if authorisation failed which would be more semantically
correct.

I'll see if i can pop that in today

/Brad

BTW: please add yourself to the mailing list before sending to it


On 19/02/14 05:04, [hidden email] wrote:
>>
>> Hi,
>>
>> I'm a new developper in Alinto's team and I have some questions !
>>
>> I need to return a 403 code when a user is authorized to read a
>> shared calendar but is not authorized to write on it ( update, cancel
>> or create an event).
>>
>> Is there a way to configure the system so that unauthorized access
>> (indicated by the authorize() method and NotAuthorizedException) be
>> treated as "403 Forbidden" instead?
>>
>> I don't want to override the respondUnauthorised() because I need it
>> to work as it does if a user isn't authorized.
>>
>> With Apple products (running iOS6, 7 or Mac OS X 10.7, 10.8, 10.9),
>> if I return a 401 and the user hasn't the right to write the event,
>> Apple's Operating Systems ask you to login, and loop into this login
>> mechanism until you cancel.
>>
>> I use the 2.6.0.0 version of Milton, and I see that a similar
>> question has already submitted to you (here the link :
>> http://lists.justthe.net/pipermail/milton-users/2012-April/001331.html ).
>>
>> Thanks for reading !
>>
>> Ben
>>
 




_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re : 401 vs 403 on authorisation failure

Benjamin Odorizzi

Thanks Brad, i'ts perfect, just an update and all it works !

An other thing I've seen, when I changed my test, in CookieAuthenticationHandler, the getDomain() method :

private String getDomain(Request request) {
        String host = request.getHostHeader();
        if (host.contains(":")) {
            host = host.substring(0, host.indexOf(":"));
        }
        if( host == null ) {
            host = "nohost";
        }
        return host;
    }
 

If "host" equals null, a NullPointerException is thrown, you check if "host" contains ":" before you check the null value.

Is it normal?

Thank you again ;)

 

Ben

Benjamin ODORIZZI  bodorizzi@...
Service R&D

Alinto // email and more
15 quai Tilsitt - 69002 Lyon (France)
Tel. : <a href="tel:%2B33%280%294%2078%2038%2054%2018" target="_blank" value="+33478385418">+33(0)4 78 38 54 18 - Fax : <a href="tel:%2B33%280%294%2026%2068%2091%2068" target="_blank" value="+33426689168">+33(0)4 26 68 91 68
Site web : www.alinto.com
Blog : www.demainlemail.com
Suivez Alinto sur Twitter & Facebook



En Réponse à Brad McEvoy <[hidden email]> le 20 févr. 2014 01:13

 
I've just added that check to send a 403 response if there is an authenticated user, but authorisation has failed (or a not auth exception has been thrown)

And will send a 401 if authentication fails, or for any anonymous request.

I vaguely remember something about Windows XP choking on 403's, but who uses that anymore. And if it is a problem for anyone I can make the 403 conditional on the user agent.

/Brad

 



En Réponse à Brad McEvoy [hidden email] le 18 févr. 2014 20:37

Hi Ben,

This is probably something that milton should deal with.

So just to confirm the situation, your users can perform read
operations, so GET, PROPFIND etc return normally. But if they attempt a
PUT, DELETE, MKCOL, etc the operation should return a 403 - correct?

I seem to remember there was a problem with early webdav clients which
only handled 401's and 403's caused a problem. But I could look at
improving that now. We could easily return a 401 if authentication
failed and 403 if authorisation failed which would be more semantically
correct.

I'll see if i can pop that in today

/Brad

BTW: please add yourself to the mailing list before sending to it


On 19/02/14 05:04, [hidden email] wrote:
>>
>> Hi,
>>
>> I'm a new developper in Alinto's team and I have some questions !
>>
>> I need to return a 403 code when a user is authorized to read a
>> shared calendar but is not authorized to write on it ( update, cancel
>> or create an event).
>>
>> Is there a way to configure the system so that unauthorized access
>> (indicated by the authorize() method and NotAuthorizedException) be
>> treated as "403 Forbidden" instead?
>>
>> I don't want to override the respondUnauthorised() because I need it
>> to work as it does if a user isn't authorized.
>>
>> With Apple products (running iOS6, 7 or Mac OS X 10.7, 10.8, 10.9),
>> if I return a 401 and the user hasn't the right to write the event,
>> Apple's Operating Systems ask you to login, and loop into this login
>> mechanism until you cancel.
>>
>> I use the 2.6.0.0 version of Milton, and I see that a similar
>> question has already submitted to you (here the link :
>> http://lists.justthe.net/pipermail/milton-users/2012-April/001331.html ).
>>
>> Thanks for reading !
>>
>> Ben
>>
 

 




_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users