初見 http 401------談談401和403的區別

stpeace發表於2017-12-11

       最近, 去訪問某一資源, 提示http 401,  頗為納悶, 從未見過啊, 孤陋寡聞。

       於是, 上網查詢了一下, 是鑑權錯誤, 仔細check了一下自己的程式碼, 發現程式碼果然有問題, 配置出錯了, 而且還多了一個空格, 導致http req中的authentication資訊不對, 從而導致http rsp中的status code為 401. 修改程式碼後, 就OK了。

       之前, 我們還說過http 403,  那http 401和 http 403有什麼區別呢? 我來引用網上的一段話來說明:


There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

This is a response generally returned by your web server, not your web application.

It’s also something very temporary; the server is asking you to try again.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.


        



相關文章