403 Forbidden vs 401 Unauthorized HTTP 响应 [英] 403 Forbidden vs 401 Unauthorized HTTP responses

问题描述

对于存在的网页，但用户没有足够的权限(他们没有登录或不属于正确的用户组)，应该提供什么正确的 HTTP 响应?

For a web page that exists, but for which a user does not have sufficient privileges (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve?

401 未经授权?
403 禁止?
还有什么?

401 Unauthorized?
403 Forbidden?
Something else?

到目前为止，我所读到的关于两者之间的区别并不是很清楚.每个响应适合哪些用例?

What I've read on each so far isn't very clear on the difference between the two. What use cases are appropriate for each response?

推荐答案

来自丹尼尔·欧文:

401 Unauthorized 存在问题，这是身份验证错误的 HTTP 状态代码.仅此而已:它用于身份验证，而不是授权.收到 401 响应是服务器告诉你，你不是已认证 - 完全未认证或已认证不正确 - 但请重新验证并重试."为了帮助你，它总是包含一个 WWW-Authenticate 标头，描述如何进行身份验证.

There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, "you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again." To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

这通常是由您的网络服务器返回的响应，而不是您的网络应用.

This is a response generally returned by your web server, not your web application.

这也是非常暂时的；服务器要求您尝试再次.

It’s also something very temporary; the server is asking you to try again.

因此，对于授权，我使用 403 Forbidden 响应.它的永久的，它与我的应用程序逻辑相关，而且它更具体响应比 401.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

服务器收到 403 响应是在告诉您:对不起.我知道你是谁——我相信你说你是谁——但你只是没有访问此资源的权限.也许如果你问系统管理员很好，您将获得许可.但请不要打扰直到你的困境改变为止."

Receiving a 403 response is the server telling you, "I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes."

总之，401 Unauthorized 响应应该用于丢失或错误的身份验证，应使用 403 Forbidden 响应之后，当用户通过身份验证但未被授权时对给定资源执行请求的操作.

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

另一种漂亮的图片格式说明http状态码应该是怎样的用过.

Another nice pictorial format of how http status codes should be used.

这篇关于403 Forbidden vs 401 Unauthorized HTTP 响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！