0

I am designing an authorization framework and now I am thinking about the error codes which I should return when someone is trying to access a resource and he doesn't have the required permissions. These are my thoughts so far:

  1. case: The user is not authenticated, he is seen as "anonymous" -> Here I think 401 would be the right status code, so the user gets the opportunity to authenticate itself.

  2. case The user is already authenticated. I would return 404 NOT FOUND. RFC2616 states that if we don't want to reveal exactly why the request has been refused, 404 is a good way to go.

I am also thinking to ad another case for the user: ADMIN. If ADMIN is unauthorized he should get customized responses, so he would know exactly what the problem is. What do you think about this? Does it make sense? How could someone exploit this?

Do you think that it is better to use 404 for everything or would you differentiate between 403 and 404, and why?

Is there any good literature regarding this subject? (I have already searched and found nothing conclusive)

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
user3464679
  • 101
  • 1
  • See also [Is it a good practice to show 403 unauthorized access error to user?](http://security.stackexchange.com/questions/46171/is-it-a-good-practice-to-show-403-unauthorized-access-error-to-user) – Gilles 'SO- stop being evil' Aug 04 '14 at 21:53

1 Answers1

1

I think RFC 2616 is quite clear:

10.4.4 403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404
(Not Found) can be used instead.

So really it's up to you if you would like to add additional information (the "reason for the refusal") if the request was made by an administrator.

But really, isn't your administrator unauthorized to view the requested resource? I think that's the case, and if I'm right, the response should definitely be 401 Unauthorized.

From 10.4.2. 401 Unauthorized:

[...] If request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. [...]

Steven Volckaert
  • 1,193
  • 8
  • 15
  • 403 says that the resource exists but the user is not authorized to access it. And 404 says that there resource was not found (even if it is there but the access is not given). It is a big security issue if I return a 403? – user3464679 Apr 15 '14 at 12:06
  • 1
    Not really. `403 Forbidden` really says that "authorization will not help", so even a new request, this time with the correct authorization header (identifying your administrator), should fail. – Steven Volckaert Apr 15 '14 at 12:28
  • But I still give the information: the resource exists. Or do I see it wrong? – user3464679 Apr 15 '14 at 12:47
  • 1
    See this discussion on StackOverflow: [403 Forbidden vs 401 Unauthorized HTTP responses](http://stackoverflow.com/a/6937030/2314596). There seems to be quite some discussion regarding this matter, some have the opinion that `401` really means _authentication_, not _authorization_, and `403` would then indeed be returned if the resource exists, but the requesting party does not have the permission to see it. – Steven Volckaert Apr 15 '14 at 13:04
  • Thank you, the discussion is helpful. In the end, I will have to decide what is better for my system and then be consistent. – user3464679 Apr 15 '14 at 14:07
  • Yes, indeed. You're welcome. – Steven Volckaert Apr 15 '14 at 14:16
  • Personally, I see the `403 Forbidden` as a way to indicate that a request is really forbidden. An example would be: If a method is obsolete and replaced by another. – Steven Volckaert Apr 15 '14 at 14:22