当前位置: 文江博客 话题详情

403 Forbidden 与 401 Unauthorized HTTP 响应

发布于 2024-09-11 02:25:10 字数 177 浏览 20 评论 0 原文

对于存在的网页,但用户没有足够的权限(他们未登录或不属于正确的用户组),要提供的正确 HTTP 响应是什么?

401 未经授权
403 禁止
还有别的事吗?

到目前为止,我所读到的关于两者之间的区别还不是很清楚。每个响应适合哪些用例?

原文

For a web page that exists, but for which a user does not have sufficient privileges (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve?

401 Unauthorized?
403 Forbidden?
Something else?

What I've read on each so far isn't very clear on the difference between the two. What use cases are appropriate for each response?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(22

没有心的人 2024-09-18 02:25:10

来自丹尼尔·欧文 [原始链接]

401 Unauthorized(身份验证错误的 HTTP 状态代码)存在问题。就是这样:它用于身份验证,而不是授权。
收到 401 响应是服务器告诉您,“您没有
已验证 – 根本未验证或已验证
不正确 - 但请重新验证并重试。”为了帮助你,
它总是包含一个WWW-Authenticate标头来描述如何
进行身份验证。

这通常是您的网络服务器返回的响应,而不是您的网络
应用程序。

这也是非常暂时的;服务器正在要求您尝试
再次。

因此,对于授权,我使用 403 Forbidden 响应。它是
永久的,它与我的应用程序逻辑相关,并且它是一个更具体的
响应而不是 401。

收到 403 响应是服务器告诉您:“对不起。我知道
你是谁——我相信你所说的你是谁——但你就是不知道
访问此资源的权限。也许如果你问系统
管理员很好,您会获得许可。但请不要打扰
再来找我,直到你的困境改变为止。”

总之,401 Unauthorized 响应应该用于丢失
或错误的身份验证,并且应使用 403 Forbidden 响应
之后,当用户通过身份验证但无权时
对给定资源执行请求的操作。

另一种漂亮的图片格式说明了如何使用http状态代码。

A clear explanation from Daniel Irvine [original link]:

There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.
Receiving a 401 response is the server telling you, “you aren’t
authenticated–either not authenticated at all or authenticated
incorrectly–but please reauthenticate and try again.” To help you out,
it will always include a WWW-Authenticate header that describes how
to authenticate.

This is a response generally returned by your web server, not your web
application.

It’s also something very temporary; the server is asking you to try
again.

So, for authorization I use the 403 Forbidden response. It’s
permanent, it’s tied to my application logic, and it’s a more concrete
response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know
who you are–I believe who you say you are–but you just don’t have
permission to access this resource. Maybe if you ask the system
administrator nicely, you’ll get permission. But please don’t bother
me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing
or bad authentication, and a 403 Forbidden response should be used
afterwards, when the user is authenticated but isn’t authorized to
perform the requested operation on the given resource.

Another nice pictorial format of how http status codes should be used.

回复 原文
慕巷 2024-09-18 02:25:10

编辑:RFC2616已过时,请参阅RFC9110

401 未经授权:

如果请求已包含授权凭据,则 401 响应表明这些凭据的授权已被拒绝。

第403章 禁止:

服务器理解该请求,但拒绝满足它。

从您的用例来看,该用户似乎未经过身份验证。我会返回401。

Edit: RFC2616 is obsolete, see RFC9110.

401 Unauthorized:

If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

403 Forbidden:

The server understood the request, but is refusing to fulfill it.

From your use case, it appears that the user is not authenticated. I would return 401.

回复 原文
夜吻♂芭芘 2024-09-18 02:25:10

其他答案缺少的一点是,必须理解 RFC 2616 上下文中的身份验证和授权仅指 RFC 2617 的 HTTP 身份验证协议。HTTP 状态代码不支持通过 RFC2617 之外的方案进行身份验证,因此不考虑在决定使用 401 还是 403 时。Brief

and Terse

Unauthorized 表示客户端未经过 RFC2617 身份验证,并且服务器正在启动身份验证过程。 Forbidden 表示客户端已通过 RFC2617 身份验证但没有授权,或者服务器不支持请求资源的 RFC2617。

这意味着如果您有自己的登录流程并且从不使用 HTTP 身份验证,则 403 始终是正确的响应,并且永远不应该使用 401。

详细和深入

RFC2616 的

10.4.2 401 未经授权

该请求需要用户身份验证。响应必须包含一个 WWW-Authenticate 头字段(第 14.47 节),其中包含适用于所请求资源的质询。客户端可以使用合适的授权标头字段重复请求(第 14.8 节)。

10.4.4 403 禁止
服务器理解该请求但拒绝满足它。授权不会有任何帮助,并且不应重复请求。

首先要记住的是,本文档上下文中的“身份验证”和“授权”特指 RFC 2617 中的 HTTP 身份验证协议。它们并不指您可能创建的任何自定义身份验证协议使用登录页面等。我将使用“登录”来指代通过 RFC2617 以外的方法进行身份验证和授权,

因此真正的区别不是问题是什么,也不是是否有解决方案。区别在于服务器期望客户端下一步做什么。

401 表示无法提供资源,但服务器正在请求客户端通过 HTTP 身份验证登录,并已发送回复标头来启动该过程。可能有允许访问资源的授权,也可能没有,但让我们尝试一下,看看会发生什么。

403表示无法提供资源,对于当前用户来说,没有办法通过RFC2617解决这个问题,也没有尝试的意义。这可能是因为已知任何级别的身份验证都是不够的(例如,由于 IP 黑名单),但也可能是因为用户已经经过身份验证并且没有权限。 RFC2617 模型是单用户、单凭证,因此用户可能拥有第二组可授权凭证的情况可以被忽略。它既不暗示也不暗示某种登录页面或其他非 RFC2617 身份验证协议可能有帮助,也可能没有帮助 - 这超出了 RFC2616 标准和定义。

编辑:RFC2616已过时,请参阅RFC7231RFC7235

Something the other answers are missing is that it must be understood that Authentication and Authorization in the context of RFC 2616 refers ONLY to the HTTP Authentication protocol of RFC 2617. Authentication by schemes outside of RFC2617 is not supported in HTTP status codes and are not considered when deciding whether to use 401 or 403.

Brief and Terse

Unauthorized indicates that the client is not RFC2617 authenticated and the server is initiating the authentication process. Forbidden indicates either that the client is RFC2617 authenticated and does not have authorization or that the server does not support RFC2617 for the requested resource.

Meaning if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used.

Detailed and In-Depth

From RFC2616

10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8).

and

10.4.4 403 Forbidden
The server understood the request but is refusing to fulfil it. Authorization will not help and the request SHOULD NOT be repeated.

The first thing to keep in mind is that "Authentication" and "Authorization" in the context of this document refer specifically to the HTTP Authentication protocols from RFC 2617. They do not refer to any roll-your-own authentication protocols you may have created using login pages, etc. I will use "login" to refer to authentication and authorization by methods other than RFC2617

So the real difference is not what the problem is or even if there is a solution. The difference is what the server expects the client to do next.

401 indicates that the resource can not be provided, but the server is REQUESTING that the client log in through HTTP Authentication and has sent reply headers to initiate the process. Possibly there are authorizations that will permit access to the resource, possibly there are not, but let's give it a try and see what happens.

403 indicates that the resource can not be provided and there is, for the current user, no way to solve this through RFC2617 and no point in trying. This may be because it is known that no level of authentication is sufficient (for instance because of an IP blacklist), but it may be because the user is already authenticated and does not have authority. The RFC2617 model is one-user, one-credentials so the case where the user may have a second set of credentials that could be authorized may be ignored. It neither suggests nor implies that some sort of login page or other non-RFC2617 authentication protocol may or may not help - that is outside the RFC2616 standards and definition.

Edit: RFC2616 is obsolete, see RFC7231 and RFC7235.

回复 原文
朕就是辣么酷 2024-09-18 02:25:10 
  +-----------------------
  | RESOURCE EXISTS ? (if private it is often checked AFTER auth check)
  +-----------------------
    |       |
 NO |       v YES
    v      +-----------------------
   404     | IS LOGGED-IN ? (authenticated, aka user session)
   or      +-----------------------
   401        |              |
   403     NO |              | YES
   3xx        v              v
              401            +-----------------------
       (404 no reveal)       | CAN ACCESS RESOURCE ? (permission, authorized, ...)
              or             +-----------------------
             redirect          |            |
             to login       NO |            | YES
                               |            |
                               v            v
                               403          OK 200, redirect, ...
                      (or 404: no reveal)
                      (or 404: resource does not exist if private)
                      (or 3xx: redirection)

检查通常按以下顺序完成:

  • 如果资源是公共的且不存在,则返回 404 或 3xx 重定向
  • 否则:
  • 如果未登录或会话过期,则返回 401;
  • 如果用户无权访问资源(文件、json、...),则返回
  • 403;如果资源不存在或不愿意透露,则返回 404任何内容,或 3xx 重定向

未经授权:状态代码 (401)表示请求需要身份验证,通常这意味着用户需要登录(会话)。服务器未知的用户/代理。可以用其他凭证重复。注意:这很令人困惑,因为它应该被命名为“未经身份验证”而不是“未经授权”。如果会话过期,登录后也可能发生这种情况。
特殊情况:可以用来代替 404 以避免泄露资源的存在或不存在(来源@gingerCodeNinja)

FORBIDDEN:状态代码 (403) 指示服务器理解该资源请求但拒绝履行。服务器已知的用户/代理,但凭据不足。除非凭据发生更改,否则重复请求将不起作用,而这在短时间内不太可能发生。
特殊情况:可以用来代替 404,以避免泄露资源的存在或不存在(鸣谢 @gingerCodeNinja),以防泄露资源的存在会暴露敏感数据或向攻击者提供有用的信息。

NOT FOUND:状态代码 (404) 指示所请求的资源不可用。用户/代理已知,但服务器不会透露有关资源的任何信息,就好像它不存在一样。重复不会有效果。这是 404 的特殊用途(github 就是这样做的)。

正如 @ChrisH 提到的,有一些重定向选项 3xx (301、302、303、307 或根本不重定向并使用 401):

  +-----------------------
  | RESOURCE EXISTS ? (if private it is often checked AFTER auth check)
  +-----------------------
    |       |
 NO |       v YES
    v      +-----------------------
   404     | IS LOGGED-IN ? (authenticated, aka user session)
   or      +-----------------------
   401        |              |
   403     NO |              | YES
   3xx        v              v
              401            +-----------------------
       (404 no reveal)       | CAN ACCESS RESOURCE ? (permission, authorized, ...)
              or             +-----------------------
             redirect          |            |
             to login       NO |            | YES
                               |            |
                               v            v
                               403          OK 200, redirect, ...
                      (or 404: no reveal)
                      (or 404: resource does not exist if private)
                      (or 3xx: redirection)

Checks are usually done in this order:

  • 404 if resource is public and does not exist or 3xx redirection
  • OTHERWISE:
  • 401 if not logged-in or session expired
  • 403 if user does not have permission to access resource (file, json, ...)
  • 404 if resource does not exist or not willing to reveal anything, or 3xx redirection

UNAUTHORIZED: Status code (401) indicating that the request requires authentication, usually this means user needs to be logged-in (session). User/agent unknown by the server. Can repeat with other credentials. NOTE: This is confusing as this should have been named 'unauthenticated' instead of 'unauthorized'. This can also happen after login if session expired.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja)

FORBIDDEN: Status code (403) indicating the server understood the request but refused to fulfill it. User/agent known by the server but has insufficient credentials. Repeating request will not work, unless credentials changed, which is very unlikely in a short time span.
Special case: Can be used instead of 404 to avoid revealing presence or non-presence of resource (credits @gingerCodeNinja) in the case that revealing the presence of the resource exposes sensitive data or gives an attacker useful information.

NOT FOUND: Status code (404) indicating that the requested resource is not available. User/agent known but server will not reveal anything about the resource, does as if it does not exist. Repeating will not work. This is a special use of 404 (github does it for example).

As mentioned by @ChrisH there are a few options for redirection 3xx (301, 302, 303, 307 or not redirecting at all and using a 401):

回复 原文
浅浅 2024-09-18 02:25:10

根据 RFC 2616 (HTTP/1.1) 403 是发送时间:

服务器理解该请求,但拒绝满足它。授权不会有任何帮助,并且不应重复请求。如果请求方法不是 HEAD 并且服务器希望公开为什么请求没有被满足,它应该在实体中描述拒绝的原因。如果服务器不希望将此信息提供给客户端,则可以使用状态代码 404(未找到)

,如果客户端可以通过身份验证访问资源,则应发送 401。

According to RFC 2616 (HTTP/1.1) 403 is sent when:

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead

In other words, if the client CAN get access to the resource by authenticating, 401 should be sent.

回复 原文
森林散布 2024-09-18 02:25:10

假设 HTTP 身份验证WWW-AuthenticateAuthorization 标头)正在使用,如果以其他用户身份进行身份验证将授予访问所请求的资源,则应返回 401 Unauthorized。

当禁止所有人访问资源或仅限于给定网络或仅允许通过 SSL 访问资源时,将使用 403 Forbidden,只要与 HTTP 身份验证无关即可。

如果未使用 HTTP 身份验证,并且服务具有基于 cookie 的身份验证方案(这是当今的标准),则应返回 403 或 404。

关于 401,这来自 RFC 7235(超文本传输​​协议 (HTTP/1.1):身份验证)

3.1。 401 未经授权

401(未经授权)状态代码表示请求尚未应用,因为它缺少目标资源的有效身份验证凭据。 源服务器必须发送一个 WWW-Authenticate 头字段(第 4.4 节),其中至少包含一个适用于目标资源的质询。 如果请求包含身份验证凭据,则 401 响应表明这些凭据的授权已被拒绝。客户端可以使用新的或替换的授权头字段重复请求(第 4.1 节)。如果 401 响应包含与先前响应相同的质询,并且用户代理已经尝试过至少一次身份验证,则用户代理应该向用户呈现随附的表示,因为它通常包含相关的诊断信息。

403(和 404)的语义随着时间的推移而发生了变化。这是 1999 年的内容 (RFC 2616):

10.4.4 403 禁止

服务器理解该请求,但拒绝满足它。 授权不会有任何帮助并且请求不应该重复。如果请求方法不是 HEAD 并且服务器希望公开为什么请求没有被满足,它应该在实体中描述拒绝的原因。如果服务器不希望将此信息提供给客户端,则可以使用状态代码 404(未找到)。

2014 年 RFC 7231(超文本传输​​协议 (HTTP/1.1):语义和内容)改变了403的含义:

6.5.3。第403章 禁止

403(禁止)状态代码表示服务器理解该请求但拒绝授权。希望公开请求被禁止原因的服务器可以在响应负载(如果有)中描述该原因。

如果请求中提供了身份验证凭据,服务器会认为它们不足以授予访问权限。客户端不应该自动使用相同的凭据重复请求。客户端可以使用新的或不同的凭据重复请求。但是,请求可能会因与凭据无关的原因而被禁止。

希望“隐藏”当前存在的禁止目标资源的源服务器可以使用状态代码 404(未找到)进行响应。

因此,403(或 404)现在可能意味着任何事情。提供新的凭据可能会有所帮助……也可能不会。

我相信这种情况发生变化的原因是 RFC 2616 假设当今的 Web 应用程序在实践中使用表单和 cookie 构建自定义身份验证方案时将使用 HTTP 身份验证。

Assuming HTTP authentication (WWW-Authenticate and Authorization headers) is in use, if authenticating as another user would grant access to the requested resource, then 401 Unauthorized should be returned.

403 Forbidden is used when access to the resource is forbidden to everyone or restricted to a given network or allowed only over SSL, whatever as long as it is no related to HTTP authentication.

If HTTP authentication is not in use and the service has a cookie-based authentication scheme as is the norm nowadays, then a 403 or a 404 should be returned.

Regarding 401, this is from RFC 7235 (Hypertext Transfer Protocol (HTTP/1.1): Authentication):

3.1. 401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The origin server MUST send a WWW-Authenticate header field (Section 4.4) containing at least one challenge applicable to the target resource. If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The client MAY repeat the request with a new or replaced Authorization header field (Section 4.1). If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information.

The semantics of 403 (and 404) have changed over time. This is from 1999 (RFC 2616):

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.

In 2014 RFC 7231 (Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content) changed the meaning of 403:

6.5.3. 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Thus, a 403 (or a 404) might now mean about anything. Providing new credentials might help... or it might not.

I believe the reason why this has changed is RFC 2616 assumed HTTP authentication would be used when in practice today's Web apps build custom authentication schemes using for example forms and cookies.

回复 原文
晨敛清荷 2024-09-18 02:25:10
  • 401未经授权:我不知道你是谁。 这是一个身份验证错误。
  • 403 禁止:我知道您是谁,但您无权访问此资源。 这是一个授权错误。
  • 401 Unauthorized: I don't know who you are. This an authentication error.
  • 403 Forbidden: I know who you are, but you don't have permission to access this resource. This is an authorization error.
回复 原文
意中人 2024-09-18 02:25:10

这是一个较老的问题,但从未真正提出的一个选项是返回 404。从安全角度来看,得票最高的答案可能会受到潜在的 信息泄露漏洞。例如,假设所讨论的安全网页是系统管理页面,或者更常见的是,是用户无权访问的系统中的记录。理想情况下,您不希望恶意用户知道那里有页面/记录,更不用说他们无权访问了。当我构建这样的东西时,我会尝试在内部日志中记录未经身份验证/未经授权的请求,但返回 404。

OWASP 有一些 有关攻击者如何使用此类信息作为攻击一部分的更多信息

This is an older question, but one option that was never really brought up was to return a 404. From a security perspective, the highest voted answer suffers from a potential information leakage vulnerability. Say, for instance, that the secure web page in question is a system admin page, or perhaps more commonly, is a record in a system that the user doesn't have access to. Ideally you wouldn't want a malicious user to even know that there's a page / record there, let alone that they don't have access. When I'm building something like this, I'll try to record unauthenticate / unauthorized requests in an internal log, but return a 404.

OWASP has some more information about how an attacker could use this type of information as part of an attack.

回复 原文
叫思念不要吵 2024-09-18 02:25:10

这个问题很早以前就被问过,但人们的思考仍在继续。

第 6.5.3 节 为状态代码 403 赋予的含义与 RFC 2616

它反映了身份验证和验证过程中发生的情况。许多流行的网络服务器和框架采用的授权方案。

我强调了我认为最重要的一点。

6.5.3。 403 禁止

403(禁止)状态代码表示服务器理解该请求但拒绝授权。希望公开请求被禁止原因的服务器可以在响应负载(如果有)中描述该原因。

如果请求中提供了身份验证凭据,服务器会认为它们不足以授予访问权限。 客户端不应使用相同的凭据重复请求。客户端可以使用新的或不同的凭据重复请求。但是,请求可能会因与凭据无关的原因而被禁止。

希望“隐藏”当前存在的禁止目标资源的源服务器可以使用状态代码 404(未找到)进行响应。

无论您使用什么约定,重要的是在您的站点/API 中提供统一性。

This question was asked some time ago, but people's thinking moves on.

Section 6.5.3 in this draft (authored by Fielding and Reschke) gives status code 403 a slightly different meaning to the one documented in RFC 2616.

It reflects what happens in authentication & authorization schemes employed by a number of popular web-servers and frameworks.

I've emphasized the bit I think is most salient.

6.5.3. 403 Forbidden

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it. A server that wishes to make public why the request has been forbidden can describe that reason in the response payload (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a forbidden target resource MAY instead respond with a status code of 404 (Not Found).

Whatever convention you use, the important thing is to provide uniformity across your site / API.

回复 原文
∞梦里开花 2024-09-18 02:25:10

这些含义如下:

401:用户未(正确)经过身份验证,资源/页面需要身份验证

403:用户的角色或权限不允许访问所请求的资源,例如用户不是管理员,请求的页面供管理员使用。

注意:从技术上讲,403 是 401 的超集,因为为未经身份验证的用户提供 403 也是合法的。无论如何,区分更有意义。

These are the meanings:

401: User not (correctly) authenticated, the resource/page require authentication

403: User's role or permissions does not allow to access requested resource, for instance user is not an administrator and requested page is for administrators.

Note: Technically, 403 is a superset of 401, since is legal to give 403 for unauthenticated user too. Anyway is more meaningful to differentiate.

回复 原文
吃素的狼 2024-09-18 02:25:10

<强>!!! DEPR:答案反映了 2014 年之前的常见做法!!!

TL;DR

  • 401:与身份验证有关的拒绝
  • 403:与身份验证无关的拒绝

实际示例

如果 < strong>apache 需要身份验证(通过.htaccess),并且您点击取消,它将以401响应需要授权

如果 nginx 找到一个文件,但没有访问权限(用户/组)来读取/访问它,它将响应 403禁止

RFC (2616 第 10 节)

401 未经授权 (10.4.2)

含义 1:需要身份验证

该请求需要用户身份验证。 ...

含义2:身份验证不足

...如果请求已包含授权凭据,则 401 响应表明这些凭据的授权已被拒绝。 ...

403 Forbidden (10.4.4)

含义:与身份验证无关

...授权没有帮助...

更多详细信息:

服务器理解该请求,但拒绝满足它。

它应该描述实体拒绝的原因

可以使用状态代码 404(未找到)来代替

(如果服务器希望向客户端保留此信息)

!!! DEPR: The answer reflects what used to be common practice, up until 2014 !!!

TL;DR

  • 401: A refusal that has to do with authentication
  • 403: A refusal that has NOTHING to do with authentication

Practical Examples

If apache requires authentication (via .htaccess), and you hit Cancel, it will respond with a 401 Authorization Required

If nginx finds a file, but has no access rights (user/group) to read/access it, it will respond with 403 Forbidden

RFC (2616 Section 10)

401 Unauthorized (10.4.2)

Meaning 1: Need to authenticate

The request requires user authentication. ...

Meaning 2: Authentication insufficient

... If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. ...

403 Forbidden (10.4.4)

Meaning: Unrelated to authentication

... Authorization will not help ...

More details:

The server understood the request, but is refusing to fulfill it.

It SHOULD describe the reason for the refusal in the entity

The status code 404 (Not Found) can be used instead

(If the server wants to keep this information from client)

回复 原文
空宴 2024-09-18 02:25:10

401 响应代码表示以下情况之一:

  1. 缺少访问令牌。
  2. 访问令牌已过期、已撤销、格式错误或无效。

另一方面,403 响应代码意味着访问令牌确实有效,但用户没有适当的权限来执行请求的操作。

401 response code means one of the following:

  1. An access token is missing.
  2. An access token is either expired, revoked, malformed, or invalid.

A 403 response code on the other hand means that the access token is indeed valid, but that the user does not have appropriate privileges to perform the requested action.

回复 原文
○闲身 2024-09-18 02:25:10

我为您创建了一个简单的注释,可以清楚地说明这一点。

输入图像描述这里

I have created a simple note for you which will make it clear.

enter image description here

回复 原文
多情癖 2024-09-18 02:25:10

他们未登录或不属于正确的用户组

您已经陈述了两种不同的情况;每种情况应该有不同的响应:

  1. 如果他们根本没有登录,您应该返回 401 Unauthorized
  2. 如果他们已登录但不属于正确的用户组,您应该返回 403 Forbidden

根据收到的对此答案的评论,对 RFC 进行注释:

如果用户未登录,则他们未经身份验证,其对应的 HTTP 是 401,并且被误导性地称为“未经授权”在 RFC 中。正如 第 10.4.2 节所述,401 未经授权

“请求需要用户身份验证。”

如果您未经身份验证,则正确的响应是 401。但是,如果您未经授权,从语义上正确的意义上来说,403 是正确的响应。

they are not logged in or do not belong to the proper user group

You have stated two different cases; each case should have a different response:

  1. If they are not logged in at all you should return 401 Unauthorized
  2. If they are logged in but don't belong to the proper user group, you should return 403 Forbidden

Note on the RFC based on comments received to this answer:

If the user is not logged in they are un-authenticated, the HTTP equivalent of which is 401 and is misleadingly called Unauthorized in the RFC. As section 10.4.2 states for 401 Unauthorized:

"The request requires user authentication."

If you're unauthenticated, 401 is the correct response. However if you're unauthorized, in the semantically correct sense, 403 is the correct response.

回复 原文
后来的我们 2024-09-18 02:25:10

401:你又是谁?(程序员走进一家没有 ID 或无效 ID 的酒吧)

403:哦,太棒了,又是你。我已经注视着你了。走吧,离开这里。(程序员走进他们 86 岁的酒吧)

401: Who are you again?? (programmer walks into a bar with no ID or invalid ID)

403: Oh great, you again. I've got my eye on you. Go on, get outta here. (programmer walks into a bar they are 86'd from)

回复 原文
情话墙 2024-09-18 02:25:10

英语:

401

您可能被允许访问,但由于某种原因,您无法响应此请求
否认。比如密码错误?使用正确的请求重试
您将收到成功响应。

403

你永远不被允许。你的名字不在名单上,你不会的
一旦进入,离开,不要发送重试请求,它将被拒绝,
总是。走开。

In English:

401

You are potentially allowed access but for some reason on this request you were
denied. Such as a bad password? Try again, with the correct request
you will get a success response instead.

403

You are not, ever, allowed. Your name is not on the list, you won't
ever get in, go away, don't send a re-try request, it will be refused,
always. Go away.

回复 原文
屌丝范 2024-09-18 02:25:10

401:您需要 HTTP 基本身份验证才能看到此内容。

如果用户只需要使用站点的标准 HTML 登录表单登录,则 401 不合适,因为它特定于 HTTP 基本身份验证。

403:此资源存在,但您无权查看它,并且 HTTP 基本身份验证无济于事。

我不建议使用 403 来拒绝访问诸如 /includes 之类的内容,因为就网络而言,这些资源根本不存在,因此应该使用 404。

换句话说,403意思是“此资源需要除 HTTP 基本身份验证之外的某种形式的身份验证(例如使用网站的标准 HTML 登录表单)”。

https://www.w3.org/Protocols/rfc2616/ rfc2616-sec10.html#sec10.4.2

401: You need HTTP basic auth to see this.

If the user just needs to log in using you site's standard HTML login form, 401 would not be appropriate because it is specific to HTTP basic auth.

403: This resource exists but you are not authorized to see it, and HTTP basic auth won't help.

I don't recommend using 403 to deny access to things like /includes, because as far as the web is concerned, those resources don't exist at all and should therefore 404.

In other words, 403 means "this resource requires some form of auth other than HTTP basic auth (such as using the web site's standard HTML login form)".

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2

回复 原文
北笙凉宸 2024-09-18 02:25:10

我认为重要的是要考虑到,对于浏览器来说,401 会启动一个身份验证对话框,让用户输入新的凭据,而 403 则不会。浏览器认为,如果返回 401,则用户应该重新进行身份验证。因此,401 代表无效身份验证,而 403 代表缺乏权限。

以下是该逻辑下的一些情况,其中身份验证或授权会返回错误,其中重要短语以粗体显示。

  • 资源需要身份验证,但未指定凭据

401:客户端应指定凭据。

  • 指定的凭据格式无效

400:既不是 401 也不是 403,因为语法错误应始终返回 400。

  • 指定的凭据引用不存在用户

401:客户端应指定有效的凭据。

  • 指定的凭据无效,但指定了有效的用户(或者如果不需要指定的用户,则不指定用户)。

401:同样,客户端应指定有效的凭据。

  • 指定的凭据过期

401:这实际上与一般情况下的无效凭据相同,因此客户端应指定有效的凭据。

  • 指定的凭据完全有效,但不足以满足特定资源的要求,尽管具有更多权限的凭据可能可以满足要求。

403:指定有效的凭据不会授予对资源的访问权限,因为当前凭据已经有效,但只是没有权限。

  • 无论凭据如何,特定的资源无法访问

403:这与凭据无关,因此指定有效凭据无济于事。

  • 指定的凭据完全有效,但特定客户端阻止使用它们。

403:如果客户端被阻止,指定新凭据将不会执行任何操作。

I think it is important to consider that, to a browser, 401 initiates an authentication dialog for the user to enter new credentials, while 403 does not. Browsers think that, if a 401 is returned, then the user should re-authenticate. So 401 stands for invalid authentication while 403 stands for a lack of permission.

Here are some cases under that logic where an error would be returned from authentication or authorization, with important phrases bolded.

  • A resource requires authentication but no credentials were specified.

401: The client should specify credentials.

  • The specified credentials are in an invalid format.

400: That's neither 401 nor 403, as syntax errors should always return 400.

  • The specified credentials reference a user which does not exist.

401: The client should specify valid credentials.

  • The specified credentials are invalid but specify a valid user (or don't specify a user if a specified user is not required).

401: Again, the client should specify valid credentials.

  • The specified credentials have expired.

401: This is practically the same as having invalid credentials in general, so the client should specify valid credentials.

  • The specified credentials are completely valid but do not suffice the particular resource, though it is possible that credentials with more permission could.

403: Specifying valid credentials would not grant access to the resource, as the current credentials are already valid but only do not have permission.

  • The particular resource is inaccessible regardless of credentials.

403: This is regardless of credentials, so specifying valid credentials cannot help.

  • The specified credentials are completely valid but the particular client is blocked from using them.

403: If the client is blocked, specifying new credentials will not do anything.

回复 原文
萌面超妹 2024-09-18 02:25:10

鉴于有关此事的最新 RFC (72317235)用例似乎很清楚(添加斜体):

  • 401是对于未经身份验证(“缺乏有效的身份验证”);即“我不知道你是谁,或者我不相信你就是你所说的那个人。”

401 未经授权

401(Unauthorized)状态码表示该请求没有被授权
已应用,因为它缺乏有效的身份验证凭据
目标资源。生成 401 响应的服务器必须发送
WWW-Authenticate 头字段(第 4.1 节)至少包含一个
适用于目标资源的挑战。

如果请求包含身份验证凭据,则 401
响应表明授权已被拒绝
证书。用户代理可以使用新的或
替换了授权标头字段(第 4.2 节)。如果401
响应包含与先前响应相同的挑战,并且
用户代理已经尝试过至少一次身份验证,然后
用户代理应该向
用户,因为它通常包含相关的诊断信息。

  • 403 表示未经授权(“拒绝授权”);即“我知道你是谁,但你无权访问此资源。”

403 禁止

403(禁止)状态码表示服务器已理解
请求但拒绝授权。一个服务器希望
公开请求被禁止的原因可以描述
响应负载中的原因(如果有)。

如果请求中提供了身份验证凭据,则
服务器认为它们不足以授予访问权限。客户
不应该自动重复相同的请求
证书。客户端可以使用新的或不同的重复请求
证书。但是,请求可能会因某些原因而被禁止
与凭据无关。

希望“隐藏”当前存在的源服务器
被禁止的目标资源可以用状态代码来响应
404(未找到)。

Given the latest RFC's on the matter (7231 and 7235) the use-case seems quite clear (italics added):

  • 401 is for unauthenticated ("lacks valid authentication"); i.e. 'I don't know who you are, or I don't trust you are who you say you are.'

401 Unauthorized

The 401 (Unauthorized) status code indicates that the request has not
been applied because it lacks valid authentication credentials for
the target resource. The server generating a 401 response MUST send
a WWW-Authenticate header field (Section 4.1) containing at least one
challenge applicable to the target resource.

If the request included authentication credentials, then the 401
response indicates that authorization has been refused for those
credentials. The user agent MAY repeat the request with a new or
replaced Authorization header field (Section 4.2). If the 401
response contains the same challenge as the prior response, and the
user agent has already attempted authentication at least once, then
the user agent SHOULD present the enclosed representation to the
user, since it usually contains relevant diagnostic information.

  • 403 is for unauthorized ("refuses to authorize"); i.e. 'I know who you are, but you don't have permission to access this resource.'

403 Forbidden

The 403 (Forbidden) status code indicates that the server understood
the request but refuses to authorize it. A server that wishes to
make public why the request has been forbidden can describe that
reason in the response payload (if any).

If authentication credentials were provided in the request, the
server considers them insufficient to grant access. The client
SHOULD NOT automatically repeat the request with the same
credentials. The client MAY repeat the request with new or different
credentials. However, a request might be forbidden for reasons
unrelated to the credentials.

An origin server that wishes to "hide" the current existence of a
forbidden target resource MAY instead respond with a status code of
404 (Not Found).

回复 原文
多情癖 2024-09-18 02:25:10

我的看法与已接受的答案略有不同。

当身份验证失败时返回 403,当授权失败时返回 401,这似乎更语义和逻辑。

我的理由如下:

当您请求进行身份验证时,您有权提出该请求。您需要这样做,否则一开始就没有人能够通过身份验证。

如果您的身份验证失败,您将被禁止,这在语义上是有意义的。

另一方面被禁止的也可以申请授权,但是
假设您已通过身份验证,但无权访问特定端点。返回 401 Unauthorized 似乎更语义化。

Spring Boot 的安全性会因身份验证尝试失败而返回 403

I have a slightly different take on it from the accepted answer.

It seems more semantic and logical to return a 403 when authentication fails and a 401 when authorisation fails.

Here is my reasoning for this:

When you are requesting to be authenticated, You are authorised to make that request. You need to otherwise no one would even be able to be authenticated in the first place.

If your authentication fails you are forbidden, that makes semantic sense.

On the other hand the forbidden can also apply for Authorisation, but
Say you are authenticated and you are not authorised to access a particular endpoint. It seems more semantic to return a 401 Unauthorised.

Spring Boot's security returns 403 for a failed authentication attempt

回复 原文
一刻暧昧 2024-09-18 02:25:10

我认为这样更容易:

如果系统无法识别您使用的凭据,例如,如果它是不同的领域或其他什么,则返回 401。

如果您设法通过 401

403 如果您不被允许访问该资源,如果您在未通过身份验证时收到此消息,那么即使您通过了身份验证,您也可能不会收到它,系统不会检查您是否有或没有凭证。

披露:我还没有阅读 RFC。

I think it's easier like this:

401 if the credentials you are using is not recognized by the system, for example if it's different realm or something.

if you managed to pass 401

403 if you are not allowed to access the resource, if you get this when you are not authenticated, chances are you won't be getting it even if you are authenticated, the system doesn't check if you have credentials or not.

Disclosure: I haven't read the RFCs.

回复 原文
挽梦忆笙歌 2024-09-18 02:25:10

在401 vs 403的例子中,这个问题已经被回答过很多次了。这本质上是“HTTP 请求环境”的争论,而不是“应用程序”的争论。

似乎有一个关于自行登录问题(应用程序)的问题。

在这种情况下,仅仅未登录不足以发送 401 或 403,除非您使用 HTTP 身份验证而不是登录页面(与设置 HTTP 身份验证无关)。听起来您可能正在寻找“201 Created”,其中存在一个滚动您自己的登录屏幕(而不是请求的资源),用于对文件的应用程序级访问。这表示:

“我听到了,它就在这里,但试试这个(不允许你看到它)”

In the case of 401 vs 403, this has been answered many times. This is essentially a 'HTTP request environment' debate, not an 'application' debate.

There seems to be a question on the roll-your-own-login issue (application).

In this case, simply not being logged in is not sufficient to send a 401 or a 403, unless you use HTTP Auth vs a login page (not tied to setting HTTP Auth). It sounds like you may be looking for a "201 Created", with a roll-your-own-login screen present (instead of the requested resource) for the application-level access to a file. This says:

"I heard you, it's here, but try this instead (you are not allowed to see it)"

回复 原文
~没有更多了~

关于作者

冷血

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文