HTTP 401未授权或403禁止“禁用”用户? [英] HTTP 401 Unauthorized or 403 Forbidden for a "disabled" user?
问题描述
身份验证服务允许禁用用户帐户(一种软删除)。
An authentication service allows user accounts be disabled (a sort of soft-delete).
如果服务器接收到已禁用用户的身份验证请求,否则如果服务器返回401或403,则有效吗?使用任一状态代码,我会返回一条消息,表明该帐户已被禁用。
If the server then receives an authentication request for a disabled user that would otherwise be valid, should the server return 401 or 403? With either status code, I would return a message indicating that the account had been disabled.
为了快速参考,来自 HTTP / 1.1规范(强调我的):
For quick reference, relevant quotes from HTTP/1.1 spec (emphasis mine):
401未经授权
该请求需要用户身份验证。响应必须包含
WWW-Authenticate头字段(第14.47节),其中包含适用于所请求资源的质询
。 客户端可以使用合适的授权标头字段重复
请求(第14.8节)。 如果
请求已包含授权凭据,则401
响应表示已拒绝这些
凭据的授权。如果401响应包含与
先前响应相同的挑战,并且用户代理已经尝试至少一次
身份验证,那么用户应该被呈现为
实体。在回复中给出,因为该实体可能包含相关的诊断信息
。 HTTP访问身份验证
在HTTP身份验证:基本和摘要访问
身份验证[43]中进行了解释。
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information. HTTP access authentication is explained in "HTTP Authentication: Basic and Digest Access Authentication" [43].
403 Forbidden
服务器理解请求,但拒绝履行请求。
授权无效,请求不得重复。
如果请求方法不是HEAD并且服务器希望公开
为什么请求尚未完成,那么<strong>应该描述实体中拒绝的
原因。如果服务器不希望
将此信息提供给客户端,则可以使用状态代码404
(未找到)。
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead.
推荐答案
基于由 Roy T. Fielding 撰写的电子邮件,显然是< a href =http://trac.tools.ietf.org/wg/httpbis/trac/ticket/294 =noreferrer>当前HTTP规范中的错误。
规范预期的读取方式如下(使用上述电子邮件中的引号):
The way the spec is intended to be read is as follows (using quotes from above email):
401未经身份验证:
您无法执行此操作,因为您尚未经过身份验证
you can't do this because you haven't authenticated
403未经授权:
用户代理发送了有效凭据但无权访问
user agent sent valid credentials but doesn't have access
因此,对于已禁用的用户,403是正确的响应(404也是一个选项)。
So, in the case of a disabled user, 403 is the correct response (and 404 is also an option).
这篇关于HTTP 401未授权或403禁止“禁用”用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
