对于存在的网页,但用户没有足够的权限(他们未登录或不属于正确的用户组),要提供的正确 HTTP 响应是什么?
401 未经授权?
403 禁止?
还有别的吗?
到目前为止,我所读到的内容并不清楚两者之间的区别。每个响应适合哪些用例?
最佳答案
来自 Daniel Irvine 的清晰解释[original link ]:
There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.
This is a response generally returned by your web server, not your web application.
It’s also something very temporary; the server is asking you to try again.
So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.
Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”
In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.
另一个nice pictorial format如何使用 http 状态代码。
关于http-headers - 403 Forbidden 与 401 Unauthorized HTTP 响应,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3297048/