700字范文 > 响应状态码403_HTTP 401错误与HTTP 403错误–状态码响应说明

时间:2020-04-14 04:00:43


We've covered the 403 (Forbidden) HTTP Error code in some detail before, but it also has a near identical sibling.


So what exactly is the difference between the 401 (Unauthorized) and 403 (Forbidden) status codes? Surely they mean the same thing? Let's take a closer look!

那么401(未经授权)和403(禁止)状态代码之间到底有什么区别? 他们肯定是同一回事吗? 让我们仔细看看!

RFC标准 (RFC Standards)

The most up to date RFC Standard defining 401 (Unauthorized) is RFC 7235

定义401(未经授权)的最新RFC标准是RFC 7235

The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource...The user agent MAY repeat the request with a new or replaced Authorization header field.

Whereas 403 (Forbidden) is most recently defined in RFC 7231

而403(禁止)是RFC 7231中最新定义的

The 403 (Forbidden) status code indicates that the server understood the request but refuses to authorize it...If authentication credentials were provided in the request, the server considers them insufficient to grant access.

常见原因 (Common Causes)

As mentioned in the previous article, the 403 error can result when a user has logged in but they don't have sufficient privileges to access the requested resource. For example, a generic user may be attempting to load an 'admin' route.

如前一篇文章所述,当用户登录但他们没有足够的特权来访问请求的资源时,可能会导致403错误。 例如,一般用户可能正在尝试加载“管理员”路由。

The most obvious time you'd encounter a 401 error, on the other hand, is when you have not logged in at all, or have provided the incorrect password.


These are the two most common causes for this pair of errors.


不太常见的原因 (Less Common Causes)

There are some instances where it's not quite as straightforward as that, though.


403 errors can occur because of restrictions not entirely dependent on the logged in user's credentials.


For example, a server may have locked down particular resources to only allow access from a predefined range of IP addresses, or may utilize geo-blocking. The latter can be potentially circumvented with a VPN.

例如,服务器可能已锁定特定资源以仅允许来自预定义IP地址范围的访问,或者可能利用了地理阻止。 VPN可能会绕过后者。

401 errors can occur even if the user enters the correct credentials. This is rare, and might be something you only really encounter while developing your own authenticated back ends. But if the authorization header is malformed it will return a 401.

即使用户输入正确的凭据,也会发生401错误。 这很少见,可能是您在开发自己的经过身份验证的后端时真正遇到的问题。 但是,如果授权标头格式错误,则它将返回401。

For example, you might have a JWT (JSON Web Token) you want to include in the request header, which expects the formatAuthorization: Bearer eyJhbGci......yJV_adQssw5c. If you were to forget the word 'Bearer' before the JWT, you would encounter the 401 error.

例如,您可能想要在请求标头中包含一个JWT(JSON Web令牌),该标头的格式应为Authorization: Bearer eyJhbGci......yJV_adQssw5c。 如果您在JWT之前忘记了“承载者​​”一词,则会遇到401错误。

I have run in to this problem myself when testing APIs under development with Postman and forgetting the correct syntax for auth headers!


而已 (That's it)

I hope this clears up any confusion surrounding these very similar errors.


If you found this helpful, or wish to challenge or extend anything raised here, feel free to contact me on Twitter @JacksonBates.

如果您觉得这有帮助,或者希望挑战或扩展此处提出的任何内容,请随时通过Twitter @JacksonBates与我联系。

翻译自: /news/http-401-error-vs-http-403-error-status-code-responses-explained/

