Alexander Rojas created MESOS-4305:
--------------------------------------
Summary: Endpoints should return "403 Forbidden" instead of "401
Unauthorized"
Key: MESOS-4305
URL: https://issues.apache.org/jira/browse/MESOS-4305
Project: Mesos
Issue Type: Bug
Reporter: Alexander Rojas
Priority: Minor
It is a common patter within Mesos to return an HTTP 401 (Unauthorized)
response whenever the request is invalid for whatever reason. However,
according to the [RFC-2617 Section
1.2|https://tools.ietf.org/html/rfc2617#section-1.2]:
{quote}
The 401 (Unauthorized) response message is used by an origin server to
challenge the authorization of a user agent. This response MUST include a
WWW-Authenticate header field containing at least one challenge applicable to
the requested resource.
{quote}
Meaning that despite the confusing name, the status code _401 Unauthorized_
should be used only for authentication purposes. On the other hand, the
[RFC-2616 Section
10.4.4|http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4] states:
{quote}
_(403 Forbidden is returned when)_ The server understood the request, but is
refusing to fulfill it. Authorization will not help and the request SHOULD NOT
be repeated. If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the reason
for the refusal in the entity. If the server does not wish to make this
information available to the client, the status code 404 (Not Found) can be
used instead.
{quote}
As such, _403 (Forbidden)_ seems to be a better return code when replying
inside endpoint handlers, while _401 (Unauthorized)_ should be left to the HTTP
Authenticators only.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
