22

因此,在我的 API 中发送一些不同的状态标头,包括404409、等。现在我遇到了. 如果用户未登录(整个 API 由权限管理)或者用户不满足正在检索/修改的特定资源的特定访问要求,我目前正在发送它。201302401 Unauthorized

现在,我还控制前端客户端(一个 jQuery/HTML 应用程序),我想区分401. 我应该使用一个不同的状态来表示未登录吗?处理它的最佳方法是在标题旁边发送正文内容吗?

4

2 回答 2

33

You should use 403 to indicate that the user isn't authorized to access the resource. Using 401 is for indicating that the user needs to supply credentials just as you are currently using it. See the descriptions of 401 and 403 here.

于 2010-08-20T02:56:34.293 回答
7

As laz say, you should use 403 when you've authenticated the user, but the user doesn't have permission to do what she's asking for. e.g. you might allow GET'ing a resource, but not DELETE or PUT.

  • 401 would be incorrect since it basically says that "I don't recognise these credentials"
  • 403 is correct since it says that "You're not allowed to do this"

In any case, the response body should always contain more information, even when it's an error response. This allows a client a way out, hopefully moving forward (using embedded links) or by providing enough information on how to proceed (e.g. "My records indicate that you do not have permission to delete XXX, please contact your system administrator and ask for the FOOBAR permission").

于 2010-08-20T08:25:43.950 回答