南昌 提供网站设计 公司短链接生成
📢📢📢:先看关键单词,再看英文,最后看中文总结,再回头看一遍英文原文,效果更佳!!
关键词
| unauthorized | 未授权的 | /ˌʌnˈɔːθəraɪzd/ |
| authentication | 认证 | /ɔːˌθentɪˈkeɪʃən/ |
| credentials | 凭证 | /krɪˈdenʃəlz/ |
| server | 服务器 | /ˈsɜːrvər/ |
| token | 令牌 | /ˈtəʊkən/ |
| expired | 过期的 | /ɪkˈspaɪərd/ |
| bearer | 持票人 | /ˈberər/ |
| forbidden | 禁止的 | /fərˈbɪdən/ |
| privileges | 特权 | /ˈprɪvɪlɪdʒɪz/ |
| authenticated | 经过身份验证的 | /ɔːˈθentɪkeɪtɪd/ |
| sufficient | 足够的 | /səˈfɪʃənt/ |
| irrespective | 无关的 | /ˌɪrɪˈspektɪv/ |
| integration | 集成 | /ˌɪntɪˈɡreɪʃən/ |
| adequate | 适当的 | /ˈædɪkwət/ |
| privileges | 特权 | /ˈprɪvɪlɪdʒɪz/ |
正文
401 Unauthorized vs 403 Forbidden
In web development, ensuring access control is essential in safely and efficiently managing APIs. The meanings of 401 Unauthorized and 403 Forbidden are sometimes confused. Nonetheless, both codes have to do with restricted resources, but they serve different purposes. In this article, we will explain the codes and instruct you on which one to use.
401 Unauthorized?
The response code for a request lacking valid authentication credentials from a client is referred to as the 401 Unauthorized status code. That being said, it means that before accessing the requested resource, it’s necessary for the server to authenticate itself to the client. If no credentials are provided or if wrong ones are given by the client, then what follows is a 401 status code.
When to Use 401 Unauthorized
Use 401 Unauthorized when:
- No authentication details have been received yet from the client.
- The authentication information supplied – username and password/token – is not valid/has expired.
- There is no authorization header present in your requests like “Authorization.”
For instance, if an API demands Bearer token for access but this token has not been included in any request or is incorrect it will issue back a response having HTTP-code of Unauthorized (the most common case).
403 Forbidden?
The reason for using a 403 Forbidden status code when the server recognizes the request, the client has been authenticated, but the client does not have permission to access the requested resource. It means that in this case, a client is known while a server intentionally turns down fulfilling his or her request because of inadequate privileges.
When to Use 403 Forbidden
Use 403 Forbidden when:
- Authenticated clientele lack sufficient permissions to reach given resources. • Server denies resource access irrespective of client’s authentication state. • Client’s access to resources is prohibited by any form of an access control system.
For instance, an authorized user may try accessing an admin only page without having adequate role. Even if one gets logged in and receive a response like ‘forbidden’ but still he/she does not have enough rights.
401 vs 403
| Aspect | 401 Unauthorized | 403 Forbidden |
|---|---|---|
| Purpose | 401 indicates missing or invalid authentication. | 403 indicates lack of permission despite valid authentication. |
| When should server send this? | When the client needs to provide valid credentials. | When the client is authenticated but not authorized to access the resource. |
| What should the client do on receiving this? | The client should provide or correct authentication details. | The client should not retry, as access is denied. |
| Example | Accessing a resource without a valid API token. | Accessing a restricted admin area without sufficient privileges. |
With the correct usage of 401 Unauthorized and 403 Forbidden status codes, you can make sure to avoid unwanted integration support tickets. The message clearly informs the clients on why they cannot gain access.
By correctly using 401 Unauthorized and 403 Forbidden status codes, you can ensure that your API communicates access issues clearly and helps clients understand the nature of the problem.
总结:
-
401 Unauthorized:
- 401 Unauthorized 状态码表示客户端请求缺少有效的身份验证凭证。
- 服务器需要在访问请求的资源之前对客户端进行身份验证。
- 如果客户端没有提供凭证或提供了错误的凭证,则返回401状态码。
- 使用场景:
- 客户端尚未提供任何身份验证详细信息。
- 提供的身份验证信息(如用户名和密码/令牌)无效或已过期。
- 请求中没有包含授权头(如“Authorization”)。
-
403 Forbidden:
- 403 Forbidden 状态码表示服务器识别了请求,客户端已通过身份验证,但客户端没有权限访问请求的资源。
- 服务器明确拒绝客户端的请求,因为权限不足。
- 使用场景:
- 经过身份验证的客户端缺乏足够的权限访问资源。
- 无论客户端的身份验证状态如何,服务器都拒绝资源访问。
- 访问控制系统禁止客户端访问资源。
具体来说,用户名/密码或者其他方式登录系统就会返回一个token, 后续请求请求头里的token无效那么服务端就会返回401, 如果token有效,但是该用户权限不足不能访问对应的资源就会返回403