[
https://issues.apache.org/jira/browse/MESOS-4305?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15091896#comment-15091896
]
Alexander Rojas edited comment on MESOS-4305 at 1/14/16 10:40 AM:
------------------------------------------------------------------
* [r/42027/|https://reviews.apache.org/r/42027/]: Changes HTTP responses from
Unauthorized (401) to Forbidden (403).
* [r/42140/|https://reviews.apache.org/r/42140/]: Removed deprecated
constructor of http::Unauthorized in libprocess.
* [r/42144/|https://reviews.apache.org/r/42144/]: Removed deprecated
constructor of http::Unauthorized in Mesos.
was (Author: arojas):
* [r/42027/|https://reviews.apache.org/r/42027/]: Changes HTTP responses from
Unauthorized (401) to Forbidden (403).
* [r/42140/|https://reviews.apache.org/r/42140/]: Removed usage of deprecated
constructor for process::http::Unauthorized.
> Endpoints should return "403 Forbidden" instead of "401 Unauthorized"
> ---------------------------------------------------------------------
>
> Key: MESOS-4305
> URL: https://issues.apache.org/jira/browse/MESOS-4305
> Project: Mesos
> Issue Type: Bug
> Reporter: Alexander Rojas
> Assignee: Alexander Rojas
> Priority: Minor
>
> It is a common patter within Mesos to return an HTTP 401 (Unauthorized)
> response whenever the request is invalid for whatever reason. However,
> according to the [RFC-2617 Section
> 1.2|https://tools.ietf.org/html/rfc2617#section-1.2]:
> {quote}
> The 401 (Unauthorized) response message is used by an origin server to
> challenge the authorization of a user agent. This response MUST include a
> WWW-Authenticate header field containing at least one challenge applicable to
> the requested resource.
> {quote}
> Meaning that despite the confusing name, the status code _401 Unauthorized_
> should be used only for authentication purposes. On the other hand, the
> [RFC-2616 Section
> 10.4.4|http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4]
> states:
> {quote}
> _(403 Forbidden is returned when)_ The server understood the request, but is
> refusing to fulfill it. Authorization will not help and the request SHOULD
> NOT be repeated. If the request method was not HEAD and the server wishes to
> make public why the request has not been fulfilled, it SHOULD describe the
> reason for the refusal in the entity. If the server does not wish to make
> this information available to the client, the status code 404 (Not Found) can
> be used instead.
> {quote}
> As such, _403 (Forbidden)_ seems to be a better return code when replying
> inside endpoint handlers, while _401 (Unauthorized)_ should be left to the
> HTTP Authenticators only.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
