Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-4305

Endpoints should return "403 Forbidden" instead of "401 Unauthorized"



    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:


      It is a common patter within Mesos to return an HTTP 401 (Unauthorized) response whenever the request is invalid for whatever reason. However, according to the RFC-2617 Section 1.2:

      The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource.

      Meaning that despite the confusing name, the status code 401 Unauthorized should be used only for authentication purposes. On the other hand, the RFC-2616 Section 10.4.4 states:

      (403 Forbidden is returned when) The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

      As such, 403 (Forbidden) seems to be a better return code when replying inside endpoint handlers, while 401 (Unauthorized) should be left to the HTTP Authenticators only.




            • Assignee:
              arojas Alexander Rojas
              arojas Alexander Rojas
              Till Toenshoff
            • Votes:
              0 Vote for this issue
              3 Start watching this issue


              • Created: