401, 403 and 407 401 Unauthorized
This response indicates that the request requires the user to perform authentication. This response is generally sent by a user agent, since the 407 Proxy Authentication Required is sent by a proxy that requires authentication. The exception is a registrar server, which sends a 401 Unauthorized response to a REGISTER message that does not contain the proper credentials. 403 Forbidden This response is used to deny a request without giving the caller any recourse. It is sent when the server has understood the request, found the request to be correctly formulated, but will not service the request. This response is not used when authorization is required. 407 Proxy Authentication Required This request sent by a proxy indicates that the UAC must first authenticate itself with the proxy before the request can be processed. The response should contain information about the type of credentials required by the proxy in a Proxy-Authenticate header field. The request can be resubmitted with the proper credentials in a Proxy-Authorization header field. Unlike in HTTP, this response may not be used by a proxy to authenticate another proxy. I hope these help. So now if I try to think of the case where this discussion started, the following implementation is okay, as for some valid credentials it will be ... A --- REGISTER ---> B A <----- 401 ------ B A --- REGISTER ---> B (with valid and non stale auth info) A <----- 403 ------ B and for others it may be ... A --- REGISTER ---> B A <----- 401 ------ B A --- REGISTER ---> B (with valid and non stale auth info) A <----- 200 ------ B We need to authenticate the credentials and not all may be allowed to REGISTER, but some may ... What do you say? Best regards, Harpreet S Juneja [EMAIL PROTECTED] --- Scott Lawrence <[EMAIL PROTECTED]> wrote: > On Tue, 2004-08-10 at 11:03, [EMAIL PROTECTED] wrote: > > FYI > > > > 403 Forbidden > > > > This response is used to deny a request without giving the caller > any recourse. It is sent when the server has understood the request, > found the request to be correctly formulated, but will not service > the request. This response is not used when authorization is > required. > > That's a reasonable interpretation. We chose to return an > authentication failure (40[17]) if the credentials are not good, but > that does leave open the possibility that the UA could try again. > > Personally, I don't think 403 is the best possible response to a > REGISTER request unless the credentials were good but the requested > operation was not (we know who you are, but you're not allowed to > register - doesn't make much sense to me), but I wouldn't call it > 'broken'. If they are returning 403 when the credentials are > incorrect, > (the username is known and the realm is right but the response hash > is > incorrect, indicating a bad password), then that's broken. > > -- > Scott Lawrence > Consulting Engineer > Pingtel Corp. > sip:[EMAIL PROTECTED] > +1.781.938.5306 x162 > > _______________________________________________ > Sip-implementors mailing list > [EMAIL PROTECTED] > http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
