Not Authorized Http Error 403
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of http 402 this site About Us Learn more about Stack Overflow the company Business
403 Http
Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask
401 Vs 403
Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign
403 Forbidden Error Fix
up 403 Forbidden vs 401 Unauthorized HTTP responses up vote 1112 down vote favorite 289 For a web page that exists, but for which a user that does not have sufficient privileges, (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve? 401? 403? Something else? What I've read on each 401 unauthorized iis so far isn't very clear on the difference between the two. What use cases are appropriate for each response? http-headers http-status-code-403 http-status-codes http-status-code-401 http-response-codes share|improve this question edited Nov 17 '15 at 13:24 MK-rou 107 asked Jul 21 '10 at 7:21 VirtuosiMedia 15.6k1678124 8 401 'Unauthorized' should be 401 'Unauthenticated', problem solved ! –Christophe Roussy May 17 at 12:33 3 Wow. The answers below are ridiculously all over the map. It seems that the correct answer is undefined for non-HTTP authentication. –Joe Lapp Jun 7 at 19:30 add a comment| 11 Answers 11 active oldest votes up vote 1687 down vote accepted A clear explanation from Daniel Irvine: There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. This is a response generally returned by your web server, not your web application. It
by the URL is forbidden for some reason. This indicates a fundamental access problem, which may be difficult to resolve because the HTTP protocol allows the Web server to give this response without http 404 providing any reason at all. So the 403 error is equivalent to a blanket 'NO' 403 forbidden request forbidden by administrative rules by the Web server - with no further discussion allowed. By far the most common reason for this error is that directory 403 forbidden access is denied browsing is forbidden for the Web site. Most Web sites want you to navigate using the URLs in the Web pages for that site. They do not often allow you to browse the file directory structure http://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses of the site. For example try the following URL (then hit the 'Back' button in your browser to return to this page): http://www.checkupdown.com/accounts/grpb/B1394343/ This URL should fail with a 403 error saying "Forbidden: You don not have permission to access /accounts/grpb/B1394343/ on this server". This is because our CheckUpDown Web site deliberately does not want you to browse directories - you have to navigate from one specific Web page to another using the http://www.checkupdown.com/status/E403.html hyperlinks in those Web pages. This is true for most Web sites on the Internet - their Web server has "Allow directory browsing" set OFF. Fixing 403 errors - general You first need to confirm if you have encountered a "No directory browsing" problem. You can see this if the URL ends in a slash '/' rather than the name of a specific Web page (e.g. .htm or .html). If this is your problem, then you have no option but to access individual Web pages for that Web site directly. It is possible that there should be some content in the directory, but there is none there yet. For example if your ISP offers a 'Home Page' then you need to provide some content - usually HTML files - for the Home Page directory that your ISP assigns to you. Until the content is there, anyone trying to access your Home Page could encounter a 403 error. The solution is to upload the missing content - directly yourself or by providing it to your ISP. Once the content is in the directory, it also needs to be authorised for public access via the Internet. Your ISP should do this as a matter of course - if they do not, then they have missed a no-brainer step. If
Forbidden RESTful Requests: 401 vs. 403 vs. 404 By Ben Nadel on July 19, 2012 Tags: ColdFusion I don't have a tremendous amount of experience building RESTful APIs; so, it's https://www.bennadel.com/blog/2400-handling-forbidden-restful-requests-401-vs-403-vs-404.htm not always clear which HTTP status code in the 4xx block I should use when refusing to fulfill an incoming resource request. One tricky scenario that I've had to code against recently is the request for a properly formed, valid resource of which the authenticating user doesn't have permissions to view. Image that we have two users in our system: Sarah, with ID 4, and Tricia, with 403 forbidden ID 37. Now, imagine that Sarah makes an authenticated request to view Tricia's profile resource:GET /users/37/profile HTTP/1.1Authorization: Basic YmVuK2F206dGVzdA==Accept: application/jsonHere, Sarah is using Basic Authorization to identify herself as Sarah; however, she's making a request to another user's profile (Tricia's). For sake of argument, let's say that in this API, a user can only view his or her own profile. What HTTP status code should I not authorized http return?The three status codes that felt the most appropriate are:401 - Unauthorized403 - Forbidden404 - Not FoundIn my mind, the use of each of these three HTTP status codes could be justified. Sarah is not authorized to view Tricia's profile (401); Sarah is forbidden from viewing someone else's profile (403); and, Sarah simply cannot see resources that she's not allowed to view (404). The initial problem that I had with using either of the HTTP status codes, 401 or 403, was that I felt like it was exposing secure information. Both of those responses sort of say, "Yeah, that resource exists, but you can't see it." My problem with this is that it confirms that those resources exist. When you ask a Doctor if he treats a particular patient (at least in Law & Order - wicked awesome show!), he will often say something to the effect of, "Officer, you know I can neither confirm nor deny having a patient as it would be a breach of doctor-patient confidentiality." This is how I feel about 401 and 403 in this particular type of resource request - I don't want to confirm or deny its existence. Then, one day,