fail in authorise() should respond 403

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

fail in authorise() should respond 403

psfung
The correct HTTP status should be
SecurityManager.authenticate() return null -> 401 Unauthorized
SecurityManager.authorise() return false -> 403 Forbidden

but Milton respond 401 for both cases.
Reply | Threaded
Open this post in threaded view
|

Re: fail in authorise() should respond 403

bradmacnz
That behaviour is what has been found to produce the best client
compatibility.

Have you seen a compatibility problem?

Or do you think this is inconsistent with the spec? If so please cite
the relevant sections.


On 31/03/17 22:30, psfung wrote:

> The correct HTTP status should be
> SecurityManager.authenticate() return null -> 401 Unauthorized
> SecurityManager.authorise() return false -> 403 Forbidden
>
> but Milton respond 401 for both cases.
>
>
>
> --
> View this message in context: http://milton-users.96038.n3.nabble.com/fail-in-authorise-should-respond-403-tp4026015.html
> Sent from the Milton Users mailing list archive at Nabble.com.
> _______________________________________________
> Milton-users mailing list
> [hidden email]
> http://lists.justthe.net/mailman/listinfo/milton-users

_______________________________________________
Milton-users mailing list
[hidden email]
http://lists.justthe.net/mailman/listinfo/milton-users
Reply | Threaded
Open this post in threaded view
|

Re: fail in authorise() should respond 403

psfung
In MS Office the error message for 403 is more clear:
"You do not have the correct permissions. Contact the server administrator"

After 401, the client would think he has typed in the wrong username/password, and retry authentication many times but that does not solve the permission problem.