From patrick.dowler at nrc-cnrc.gc.ca Mon Dec 12 10:55:29 2011 From: patrick.dowler at nrc-cnrc.gc.ca (Patrick Dowler) Date: Mon, 12 Dec 2011 10:55:29 -0800 Subject: use of HTTP code 401 for PermissionDenied Message-ID: <201112121055.29596.patrick.dowler@nrc-cnrc.gc.ca> The vospace 2 spec says to use 401 PermissionDenied (eg in 5.3.1.3) but the http spec is pretty clear that 401 is for when you need to authenticate and 403 is for when you are nor allowed. I know the text of the http docs calls 401 "Unauthorized" but they do really mean "Unauthenticated". So, can/should we change all the "401 PermissionDenied" to 403? As an aside, section 4 says that access control is more or less orthogonal to the vospace spec, which is as it should be. So the PermissionDenied fault should be considered more a suggestion than part of the spec and we should make it consistent. The correct thing for the client to do with a 401 is not really in keeping with the vospace or SSO... -- Patrick Dowler Tel/T?l: (250) 363-0044 Canadian Astronomy Data Centre National Research Council Canada 5071 West Saanich Road Victoria, BC V9E 2M7 Centre canadien de donnees astronomiques Conseil national de recherches Canada 5071, chemin West Saanich Victoria (C.-B.) V9E 2M7 From mjg at cacr.caltech.edu Mon Dec 12 11:09:38 2011 From: mjg at cacr.caltech.edu (Matthew Graham) Date: Mon, 12 Dec 2011 11:09:38 -0800 Subject: use of HTTP code 401 for PermissionDenied In-Reply-To: <201112121055.29596.patrick.dowler@nrc-cnrc.gc.ca> References: <201112121055.29596.patrick.dowler@nrc-cnrc.gc.ca> Message-ID: <49329DD3-44CC-4220-ACD1-C03AD419D107@cacr.caltech.edu> Hi Pat, The RFC for VOSpace 2.0 will be announced within the next ten days and I think that this is a great comment to make in that forum. Cheers, Matthew On Dec 12, 2011, at 10:55 AM, Patrick Dowler wrote: > > The vospace 2 spec says to use 401 PermissionDenied (eg in 5.3.1.3) but the > http spec is pretty clear that 401 is for when you need to authenticate and > 403 is for when you are nor allowed. I know the text of the http docs calls > 401 "Unauthorized" but they do really mean "Unauthenticated". > > So, can/should we change all the "401 PermissionDenied" to 403? > > As an aside, section 4 says that access control is more or less orthogonal to > the vospace spec, which is as it should be. So the PermissionDenied fault > should be considered more a suggestion than part of the spec and we should > make it consistent. The correct thing for the client to do with a 401 is not > really in keeping with the vospace or SSO... > > -- > > Patrick Dowler > Tel/T?l: (250) 363-0044 > Canadian Astronomy Data Centre > National Research Council Canada > 5071 West Saanich Road > Victoria, BC V9E 2M7 > > Centre canadien de donnees astronomiques > Conseil national de recherches Canada > 5071, chemin West Saanich > Victoria (C.-B.) V9E 2M7 >