If a user is properly logged in and his privileges do not allow to access a potion of content, 403 is the right response. But in the case of the anonymous user that has been logged in by default without ever giving the user the possibility to log-on, 401 would be the correct response.
regards, LarsP.S. is there a way to override the automatic login of anonymous per configuration?
On 28.02.2008, at 14:44, David Nuescheler wrote:
hi all, here my +1 for anonymous access by default. also prompting the user with a 401 for something that he does nothave read access for is not an option, since in jcr if you are able to readcontent there is no way to tell that something exists.But still, the desired behavior is to ask the user for authentication ifhe is not authenticated and write permission is denied.Your problem has nothing to do with the fact that we allow anonymous access per default now.Before that you could login as anonymous and would face the same problems. This is rather a problem of the post servlet and the permission checkingthere. Could you please open an issue?i agree with carstens assessment.i don't think though that the desired respeonse code for a permission denied on the repository level is a 401 even for "anonymous", but i think it shouldbe a 403 error code instead. thoughts? regards, david
-- Lars Trieloff [EMAIL PROTECTED] http://weblogs.goshaky.com/weblogs/lars
smime.p7s
Description: S/MIME cryptographic signature
