[squeak-dev] The Inbox: WebClient-Core-ct.126.mcz

Tobias Pape Das.Linux at gmx.de
Mon Oct 12 19:06:21 UTC 2020


Hi

> On 12.10.2020, at 20:47, Thiede, Christoph <Christoph.Thiede at student.hpi.uni-potsdam.de> wrote:
> 
> For example, many modern REST APIs use to return an error 404 if an attempt is made to access a private resource without authenticating before [1] which currrently makes it impossible to authenticate to these APIs using the WebClient.


No, thats not what the link says:

Q: "1. How to deal with unauthorized requests?

I'm intending to respond to requests with the following codes:

	• Is the resource open and found? 200 OK
	• Do you need to be authenticated to access the resources? 401 Unauthorized
	• Don't you have access to a category of resources? 403 Forbidden
	• Do you have access to a category of resources, but not to this specific resource? 404 Not Found to prevent people from getting to know the existance of a resource they do not have access to.
	• Doesn't the resource exist? 404 Not Found

"
A: "How to deal with unauthorized requests?

The way you described it is pretty much the recommended way for a RESTful service. As far as I can see there is absolutely nothing wrong with that."


That means: "Do you need to be authenticated to access the resources? 401 Unauthorized" 

I do not support preemtive authentication, especially in non-SSL circumstances.


=-=-=-=


It is also hard to see the differences because you reformatted them method :/

Best regards
	-Tobias


More information about the Squeak-dev mailing list