403 Forbidden vs 401 Unauthorized HTTP响应 [英] 403 Forbidden vs 401 Unauthorized HTTP responses

问题描述

对于存在的网页，但是对于没有足够权限的用户（他们未登录或不属于正确的用户组），要提供的正确HTTP响应是什么？ 401？ 403？别的什么？到目前为止，我对每个人的看法都不太清楚。哪些用例适用于每个响应？

For a web page that exists, but for which a user that does not have sufficient privileges, (they are not logged in or do not belong to the proper user group), what is the proper HTTP response to serve? 401? 403? Something else? What I've read on each so far isn't very clear on the difference between the two. What use cases are appropriate for each response?

推荐答案

来自 Daniel Irvine ：

401 Unauthorized 是一个问题，HTTP身份验证错误的状态代码。就是这样：它用于身份验证，而不是授权。
收到401响应是服务器告诉你，你不是经过身份验证的
- 未经过身份验证或未经过身份验证的
错误 - 但请重新进行身份验证并重试。为了帮助你，
它将始终包含一个 WWW-Authenticate 标题，用于描述如何通过
进行身份验证。

There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, "you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again." To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

这是一个回复通常由您的网络服务器返回，而不是您的网络
申请。

This is a response generally returned by your web server, not your web application.

这也是非常临时的事情;服务器要求你再次尝试
。

It’s also something very temporary; the server is asking you to try again.

因此，对于授权，我使用 403 Forbidden 响应。这是
永久性的，它与我的应用程序逻辑相关联，并且它比401更具体
响应。

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

接收403响应是服务器告诉你，我很抱歉。我知道你是谁b $ b - 我相信你说的是谁 - 但你只是没有
的权限来访问这个资源。也许如果你很好地问系统
管理员，你会获得许可。但是，在你的困境发生变化之前，请不要再打扰
me。

Receiving a 403 response is the server telling you, "I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes."

总之，应该使用 401 Unauthorized 响应如果用户经过身份验证但未获得
的授权，则执行请求的操作时，应使用
之后的
或错误的身份验证，并且 403 Forbidden 响应应该使用
在给定的资源上。

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

另一个漂亮的图片格式。

这篇关于403 Forbidden vs 401 Unauthorized HTTP响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！