iGeeky commented on PR #7497: URL: https://github.com/apache/apisix/pull/7497#issuecomment-1190099066
@tzssangglass >403 is the client with the correct authentication information, but the server believes that the authentication information corresponding to the user does not have the corresponding resource access rights, so there is no need to retry before obtaining the relevant rights from the administrator. Yes, this is the case for the place I want to change. So it should use 403. >The logic of using 401 instead of 403 here is actually to hide the message. It is possible for an attacker to determine whether the account password is correct by judging the status code. I don't understand here. The place to change is when accessing resources, which should have nothing to do with authentication. So there will be no account password operation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
