401, 403 and 407  

401 Unauthorized

This response indicates that the request requires the user to perform
authentication. This response is generally sent by a user agent, since
the 407 Proxy Authentication Required is sent by a proxy that requires
authentication. The exception is a registrar server, which sends a 401
Unauthorized response to a REGISTER message that does not contain the
proper credentials. 

403 Forbidden

This response is used to deny a request without giving the caller any
recourse. It is sent when the server has understood the request, found
the request to be correctly formulated, but will not service the
request. This response is not used when authorization is required.

407 Proxy Authentication Required

This request sent by a proxy indicates that the UAC must first
authenticate itself with the proxy before the request can be processed.
The response should contain information about the type of credentials
required by the proxy in a Proxy-Authenticate header field. The request
can be resubmitted with the proper credentials in a Proxy-Authorization
header field. Unlike in HTTP, this response may not be used by a proxy
to authenticate another proxy.

I hope these help. 

So now if I try to think of the case where this discussion started, the
following implementation is okay, as for some valid credentials it will
be ... 

A --- REGISTER ---> B
A <----- 401 ------ B
A --- REGISTER ---> B (with valid and non stale auth info)
A <----- 403 ------ B

and for others it may be ...

A --- REGISTER ---> B
A <----- 401 ------ B
A --- REGISTER ---> B (with valid and non stale auth info)
A <----- 200 ------ B

We need to authenticate the credentials and not all may be allowed to
REGISTER, but some may ...

What do you say?

Best regards,
Harpreet S Juneja
[EMAIL PROTECTED]

 --- Scott Lawrence <[EMAIL PROTECTED]> wrote: 
> On Tue, 2004-08-10 at 11:03, [EMAIL PROTECTED] wrote:
> > FYI
> > 
> > 403 Forbidden
> > 
> > This response is used to deny a request without giving the caller
> any recourse. It is sent when the server has understood the request,
> found the request to be correctly formulated, but will not service
> the request. This response is not used when authorization is
> required.
> 
> That's a reasonable interpretation.  We chose to return an
> authentication failure (40[17]) if the credentials are not good, but
> that does leave open the possibility that the UA could try again.
> 
> Personally, I don't think 403 is the best possible response to a
> REGISTER request unless the credentials were good but the requested
> operation was not (we know who you are, but you're not allowed to
> register - doesn't make much sense to me), but I wouldn't call it
> 'broken'.  If they are returning 403 when the credentials are
> incorrect,
> (the username is known and the realm is right but the response hash
> is
> incorrect, indicating a bad password), then that's broken.
> 
> -- 
> Scott Lawrence
> Consulting Engineer
> Pingtel Corp.   
> sip:[EMAIL PROTECTED]
> +1.781.938.5306 x162
> 
> _______________________________________________
> Sip-implementors mailing list
> [EMAIL PROTECTED]
> http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors



        
        
                
___________________________________________________________ALL-NEW Yahoo! Messenger - 
all new features - even more fun!  http://uk.messenger.yahoo.com
_______________________________________________
Sip-implementors mailing list
[EMAIL PROTECTED]
http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to