On Sun, 2023-04-30 at 15:58 +0930, Tim via users wrote: > Tim: > > > A password mismatch ought to be authorisation failure (you are > > > not > > > authorised). An authentication failure would be some other > > > problem > > > (it can't do the authentication). > > > Patrick O'Callaghan: > > I don't think so. Authentication is about identifying the user, > > authorisation is deciding what they can do. > > Not on my server. Well, it's semantics. If I don't enter the > password, or try the wrong one, it's an authentication ERROR, and I > am not authorised. > Of course. Authorization depends on authentication. > ------------------- > 401 error (proper authorisation is required) > > Authentication error information > Exactly. An authentication error. > The resource you tried to retrieve requires you to provide username > and > password credentials, but your request either didn't include them, or > didn't include them properly. > ------------------- > > And the logs will have something like: > > [Sun Apr 30 15:49:14.261826 2023] [auth_basic:error] [pid 18610] > [client 192.168.1.1:36072] AH01618: user gfgaa not found: > /personal/testbox/strong/ > > I wouldn't call that an auth failure, it's actually doing its job. > By "authorization failure" I simply mean "the user failed to authenticate themselves", not that there's necessarily something wrong with Apache. > If I configure the server incorrectly, I may get a 500 error, but > that > will be an authentication failure (it can't do the job). > > e.g. If I try to use MD5 when it's not possible, I will get a 500 > error > > ----------------------- > 500 Internal Server Error > Internal Server Error > The server encountered an internal error or misconfiguration and was > unable to complete your request. > ------------------------ > > And this in the logs: > > [Sun Apr 30 15:44:36.485184 2023] [authn_core:error] [pid 19426] > [client 192.168.1.1:36034] AH01796: AuthType MD5 configured without > corresponding module > In this case that would be an internal issue, manifested as an authentication error. It's unfortunate that both terms have the prefix "auth" and the message could be clearer. However that's not what I'm talking about in this case. An *authorization error" would be where I can log in but can't use some resource because I don't have the proper access rights. In my case I couldn't log in, so the question of authorization didn't arise. Cheers poc _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
