On Sun, 2023-04-30 at 15:58 +0930, Tim via users wrote:
Tim:
> > A password mismatch ought to be authorisation failure (you are
> > not
> > authorised). An authentication failure would be some other
> > problem
> > (it can't do the authentication).
Patrick O'Callaghan:
> I don't think so. Authentication is about identifying the user,
> authorisation is deciding what they can do.
Not on my server. Well, it's semantics. If I don't enter the
password, or try the wrong one, it's an authentication ERROR, and I
am not authorised.
Of course. Authorization depends on authentication.
-------------------
401 error (proper authorisation is required)
Authentication error information
Exactly. An authentication error.
The resource you tried to retrieve requires you to provide username
and
password credentials, but your request either didn't include them, or
didn't include them properly.
-------------------
And the logs will have something like:
[Sun Apr 30 15:49:14.261826 2023] [auth_basic:error] [pid 18610]
[client 192.168.1.1:36072] AH01618: user gfgaa not found:
/personal/testbox/strong/
I wouldn't call that an auth failure, it's actually doing its job.
By "authorization failure" I simply mean "the user failed to
authenticate themselves", not that there's necessarily something wrong
with Apache.
If I configure the server incorrectly, I may get a 500 error, but
that
will be an authentication failure (it can't do the job).
e.g. If I try to use MD5 when it's not possible, I will get a 500
error
-----------------------
500 Internal Server Error
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
------------------------
And this in the logs:
[Sun Apr 30 15:44:36.485184 2023] [authn_core:error] [pid 19426]
[client 192.168.1.1:36034] AH01796: AuthType MD5 configured without
corresponding module
In this case that would be an internal issue, manifested as an
authentication error. It's unfortunate that both terms have the prefix
"auth" and the message could be clearer. However that's not what I'm
talking about in this case.
An *authorization error" would be where I can log in but can't use some
resource because I don't have the proper access rights. In my case I
couldn't log in, so the question of authorization didn't arise.
Cheers
poc