Hello Matt, I've entered on issue for this topic: http://restlet.tigris.org/issues/show_bug.cgi?id=985 Thanks for your report.
Best regards, Thierry Boileau > I've always thought that 401 "Not Authorized" was poorly chosen wording, > because it really says the same thing as 403 "Forbidden". However, the > requirement that a 401 status also MUST send a WWW-Authenticate header I > think in practice has led 401 to really mean "Not Authenticated" and 403 to > really mean "Not Authorized". Whereas in the description of 403 in rfc2616 > section 10 explicitly states that "Authentication will not help", which > implies that either no authentication is possible, the user is simply trying > to do something the server doesn't want done, or it implies that the user is > in fact authenticated, and the server is saying the authenticated user isn't > authorized to do that. > > So where does that leave us? I guess I think that the abstract > implementation of Authenticator should not simply return 204 to the client if > Authentication has been set to be required, and a concrete subclass has > returned false in the authenticate() method. It is OK, because it does in > fact stop the filter, but I think it could be a little bit easier on the > programmer implementing the concrete subclass. Perhaps setting the status to > 403 is more appropriate in this case. Anyway, I trust the restlet team's > judgement here, but if you decide to keep the behavior as it is, then I > encourage you to document clearly that the unauthenticated() method will also > need to be overridden in subclasses in order to produce behavior that results > in a 401 or 403 upon returning false from the authenticate() method. I would > be happy to look at possible implementations of changing the default behavior > if it is something the restlet team thinks would be worthwhile. > > The good news is that as far as my current project goes, I have custom > subclasses of Authenticators and Authorizers working very well and I really > like the new security architecture, I'm just trying to figure out if this > particular aspect of the behavior is as simple as it could be. > > Thanks for your time, > Matt > > ------------------------------------------------------ > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2429029 > > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2431078
