Bug 40721

Summary: 401 vs 403 in httpd
Product: Apache httpd-2 Reporter: jfclere <jfclere>
Component: mod_authAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: normal CC: nneul, spamtrap
Priority: P2 Keywords: FixedInTrunk
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description jfclere 2006-10-11 01:17:43 UTC
httpd authorisation should return 403 instead of 401,
for example when a user is already authenticated but does not have the
rights to access to a page.
For example in this case:
+++
[Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] access to /titu/
failed, reason: user 'jfclere' does not meet 'require'ments for user to
be allowed access
[Mon Oct 02 11:04:57 2006] [error] [client 127.0.0.1] user jfclere:
authorization failure for "/titu/":
+++
Instead 403 httpd asks again for authentication.
Comment 1 Nick Kew 2006-10-11 01:59:13 UTC
If the user is unauthorised but other credentials would authorise them, then a 
401 to prompt the user for that is correct.  See for example RFC2616, #10.4.2.
Comment 2 Christian BOITEL 2010-09-06 05:15:34 UTC
This is a very annoying thing for in some cases a 403 is a required behavior. 

If you look at it, there is no real true reason for hardcoding a 401 or a 403 response. Why not make the thing configurable instead ? A AuthzFailedReturnCode directory/location/server setting defaulting to 401 but allowing to return a 403 if required.
Comment 3 Stefan Fritsch 2010-12-04 08:17:00 UTC
*** Bug 50257 has been marked as a duplicate of this bug. ***
Comment 4 Stefan Fritsch 2010-12-18 12:13:09 UTC
fixed in r1050677 by adding AuthzSendForbiddenOnFailure directive
Comment 5 Stefan Fritsch 2011-06-13 20:48:03 UTC
*** Bug 37287 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Fritsch 2012-02-26 16:42:12 UTC
fixed in 2.4.1