Sunday, February 2, 2014

For a web page that exists, but for which a user that does not have sufficient privileges, (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve? 401? 403? Something else? What I've read on each so far isn't very clear on the difference between the two. What use cases are appropriate for each response?
share|improve this question
add comment

6 Answers

up vote322down voteaccepted
A clear explanation from Daniel Irvine:
401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.
This is a response generally returned by your web server, not your web application.
It’s also something very temporary; the server is asking you to try again.
So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.
Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”
In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.
share|improve this answer
The default IIS 403 message is "This is a generic 403 error and means the authenticated user is not authorized to view the page", which would seem to agree. –  Ben Challenor Sep 16 '11 at 13:19
Very good answer! More clear than the accepted answer IMO. –  poisson Apr 13 '12 at 12:05
@JPReddy Your answer is correct. However, I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized"....Unless I am not good in English (which is quite a possibility). –  p.matsinopoulos Jun 20 '12 at 21:48
@ZaidMasud, according to RFC this interpretation is not correct. Cumbayah's answer got it right. 401 means "you're missing the right authorization". It implies "if you want you might try to authenticate yourself". So both a client who didn't authenticate itself correctly and a properly authenticated client missing the authorization will get a 401. 403 means "I won't answer to this, whoever you are". RFC states clearly thath "authorization will not help" in the case of 403. –  Davide R. Nov 24 '12 at 10:38
401 is Authentication error, 403 is Authorization error. Simple as that. –  Shehi Mar 25 '13 at 14:09
show 9 more comments
See the RFC:
401 Unauthorized:
If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.
403 Forbidden:
The server understood the request, but is refusing to fulfill it.
From your use case, it appears that the user is not authenticated. I would return 401.
share|improve this answer
Thanks, that helped clarify it for me. I'm using both - the 401 for unauthenticated users, the 403 for authenticated users with insufficient permissions. –  VirtuosiMedia Jul 21 '10 at 7:51
I didn't downvote but I find this answer quite misleading. 403 forbidden is more appropriately used in content that will never be served (like .config files in its either that or a 404. imho, it wouldn't be appropriate to return 403 for something that can be accessed but you just didn't have the right credentials. my solution would be to give an access denied message with a way to change credentials. that or a 401. –  Mel Dec 22 '11 at 5:07
"The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource." It would seem that if you don't want to use HTTP-style authentication, a 401 response code is not appropriate. –  Brilliand Mar 20 '12 at 1:42
I'll back Billiand here. The statement is "If the request already included Authorization credentials". That means if this is a response from a request which provided the credential (e.g. the response from a RFC2617 Authentication attempt). It is essentially to allow the server to say, "Bad account/password pair, try again". In the posed question, the user is presumably authenticated but not authorized. 401 is never the appropriate response for those circumstances. –  ldrut Feb 5 '13 at 17:20
Brilliand is right, 401 is only appropriate for HTTP Authentication. –  Juampi May 3 '13 at 15:42
show 8 more comments
Something the other answers are missing is that it must be understood that Authentication and Authorization in the context of RFC 2616 refers ONLY to the HTTP Authentication protocol of RFC 2617. Authentication by schemes outside of RFC2617 are not supported in HTTP status codes and are not considered when deciding whether to use 401 or 403..

Brief and Terse

Unauthorized indicates that the client is not RFC2617 authenticated and the server is initiating the authentication process. Forbidden indicates either that the client is RFC2617 authenticated and does not have authorization or that the server does not support RFC2617 for the requested resource.
Meaning if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.

Detailed and In-Depth

From RFC2616
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).
10.4.4 403 Forbidden The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.
The first thing to keep in mind is that "Authentication" and "Authorization" in the context of this document refer specifically to the HTTP Authentication protocols from RFC 2617. They do not refer to any roll-your-own authentication protocols you may have created using login pages, etc. I will use "login" to refer to authentication and authorization by methods other than RFC2617
So the real difference is not what the problem is or even if there is a solution. The difference is what the server expects the client to do next.
401 indicates that the resource can not be provided, but the server is REQUESTING that the client log in through HTTP Authentication and has sent reply headers to initiate the process. Possibly there are authorizations that will permit access to the resource, possibly there are not, but lets give it a try and see what happens.
403 indicates that the resource can not be provided and there is, for the current user, no way to solve this through RFC2617 and no point in trying. This may be because it is known that no level of authentication is sufficient (for instance because of an IP blacklist), but it may be because the user is already authenticated and does not have authority. The RFC2617 model is one-user, one-credentials so the case where the user may have a second set of credentials that could be authorized may be ignored. It neither suggests nor implies that some sort of login page or other non-RFC2617 authentication protocol may or may not help - that is outside the RFC2616 standards and definition.
share|improve this answer
IMHO, this is by far the best and most accurate answer. –  Juampi May 3 '13 at 15:22
add comment


oakleyses said...

louis vuitton handbags, oakley sunglasses, louboutin, longchamp outlet, nike shoes, louis vuitton outlet stores, chanel handbags, burberry outlet, prada outlet, jordan shoes, tiffany and co, michael kors outlet, tory burch outlet, louis vuitton outlet, longchamp handbags, nike free, true religion jeans, michael kors outlet, kate spade outlet, polo ralph lauren outlet, tiffany and co, prada handbags, polo ralph lauren outlet, michael kors outlet, michael kors outlet, longchamp handbags, oakley sunglasses, ray ban sunglasses, kate spade handbags, burberry outlet, louis vuitton outlet, louboutin outlet, louboutin, coach factory outlet, air max, air max, coach outlet, gucci outlet, christian louboutin shoes, michael kors outlet, coach purses, ray ban sunglasses, michael kors outlet, louis vuitton, coach outlet store online, true religion jeans, oakley sunglasses cheap

oakleyses said...

ralph lauren, lululemon, air max, hollister, north face, nike air max, polo lacoste, vanessa bruno, timberland, vans pas cher, louboutin, louis vuitton, oakley pas cher, air max pas cher, nike roshe run, air max, true religion outlet, barbour, sac longchamp, air force, hollister, sac louis vuitton, nike free, polo ralph lauren, nike trainers, louis vuitton uk, nike roshe, sac hermes, longchamp, michael kors, sac burberry, sac guess, mulberry, new balance pas cher, converse pas cher, sac louis vuitton, hogan outlet, nike tn, north face, true religion outlet, ray ban pas cher, michael kors, air jordan, nike blazer, nike free pas cher, michael kors pas cher, abercrombie and fitch, ray ban sunglasses

oakleyses said...

mac cosmetics, mont blanc, marc jacobs, canada goose outlet, nike huarache, vans shoes, soccer jerseys, hollister, giuseppe zanotti, beats by dre, abercrombie and fitch, longchamp, insanity workout, celine handbags, bottega veneta, ghd, nfl jerseys, north face outlet, chi flat iron, ugg boots, birkin bag, ugg australia, canada goose, herve leger, ugg pas cher, rolex watches, valentino shoes, canada goose uk, canada goose, ferragamo shoes, canada goose, ugg boots, uggs outlet, north face jackets, soccer shoes, asics running shoes, new balance shoes, p90x, lululemon outlet, canada goose jackets, mcm handbags, instyler, babyliss pro, ugg, wedding dresses, jimmy choo outlet, reebok outlet, nike roshe run

oakleyses said...

parajumpers, karen millen, air max, converse, pandora charms, moncler, louboutin, moncler, links of london, lancel, juicy couture outlet, oakley, hollister, pandora charms, supra shoes, thomas sabo, canada goose, gucci, wedding dresses, timberland boots, swarovski crystal, air max, coach outlet store online, moncler, ray ban, canada goose, moncler, ugg, louis vuitton, swarovski, hollister, montre homme, moncler, hollister clothing store, ralph lauren, rolex watches, moncler outlet, moncler, iphone 6 cases, baseball bats, juicy couture outlet, toms shoes, vans, pandora jewelry, ugg, converse shoes

Anna said...

Great and Useful Article.

Online Java Course

Java Online Training

Java Course Online

Best Recommended books for Spring framework

Java Interview Questions

Java Training Institutes in Chennai

Java Training in Chennai

J2EE Training in Chennai

java j2ee training institutes in chennai

Java Course in Chennai

Zheng junxai5 said...

true religion sale
nike uk
celine bags
michael kors outlet online
oakley sunglasses outlet
adidas boost
oakley outlet
coach outlet canada
beats by dr dre
adidas nmd
kobe 8
nike sb janoski
michael kors outlet
adidas originals
coach factory outlet online
coach factory outlet online
michael kors handbags
nike roshe run
tory burch outlet online
oakley sunglasses
coach factory outlet online
coach outlet store online clearances
michael kors outlet
basketball shoes
nike air max uk
tods sale
lebron 12
cheap ray ban sunglasses
coach outlet online
michael kors
jordan retro 11
michael kors outlet clearance
coach outlet store online clearances
air jordan shoes
oakley sunglasses
beats by dre outlet
ray ban sunglasses
oakley outlet
coach outlet clearance

raybanoutlet001 said...

adidas stan smith women
air jordan
cheap air jordan
ray ban sunglasses outlet
adidas nmd
nike huarache sale
michael kors outlet online
tiffany jewelry
kobe shoes
adidas nmd
michael kors outlet
yeezy boost 350
chrome hearts
nike zoom kobe
tiffany and co outlet online
kobe basketball shoes
cheap tiffanys
tiffany and co outlet
adidas tubular
christian louboutin outlet

Yaro Gabriel said...

oakley sunglasses
ray ban sunglasses
coach canada
canada goose outlet
true religion outlet
air max uk
coach outlet
coach outlet online
christian louboutin outlet
canada goose outlet

5689 said...

pandora jewelry
jimmy choo outlet
pandora jewelry outlet
canada goose jackets
moncler jackets
lacoste outlet
pandora jewelry
valentino shoes
off white clothing
jordan shoes

jeje said...

Quand il s'agit de vêtements d'été pour contact rh nike france femmes, les femmes adorent apparaître merveilleux, ce qui implique l'acquisition la plus récente dans les étiquettes de vêtements urbains. Il a préparé beaucoup d'articles dans plusieurs baskets de sport comme Air Jordan Fusion. Dans ce cas particulier, un ressortissant américain peut ne pas maîtriser la norme chinoise, mais développer une attitude positive à l'égard de la culture chinoise ou indienne est crucial avec le bon fonctionnement du personnel (Noorderhaven, 1997). Par exemple, asics gel lyte 3 femme bleu blanc la gestion était plus pauvre que la natation, le handball, le tennis et un peu mieux que la marche, le golf et les bols pour améliorer la flexibilité. Avec toute cette étude scientifique et de preuves, il vaut vraiment la peine d'essayer un produit avec Helix Aspersa Muller. La sécrétion est recueillie dans une méthode sûre et transformée en une nike air jordan 1 retro high og laser bg crème inodore et incolore sans ingrédients ajoutés.

zzyytt said...

westbrook shoes
pandora jewelry
nike air max 90
fila shoes
jordan 13
yeezy boost
hermes handbags bag
coach outlet sale