I have run into a situation where I don't believe the HTTP specification
is clear so I was hoping that folks here might be able to weigh in on
what the correct approach might be.
Imagine that I have a resource at some HTTP URL. This resource supports
the GET, PUT and DELETE methods.
In response to a request with any of those three methods, the resource
returns a valid 401 Unauthorized response containing a challenge.
If I recieve a request that has valid authentication credentials for a
user that only has access rights to read and not to modify the resource,
what is the appropriate response status code to use when that request
uses the PUT or DELETE methods?
Here are some options I've been considering:
* Return 405 Method Not Allowed, and indicate in the "Allow" response
header the methods that this particular authenticated user is allowed to
perform. (i.e. Allow: GET)
* Return 403 Forbidden, indicating that the authentication was
successful and that this method is supported but this particular client
is not allowed perform the request. The "Allow" response header here
will have the value "GET, PUT, DELETE".
* Return 401 Unauthorized with another challenge, indicating that the
supplied credentials are not acceptable for this resource. This of
course means that the client is unable to distinguish between an invalid
credentials error and an insufficient access error.
I'd be interested to hear some feedback on which of these approaches
would be best, or indeed recieve any suggestions on alternative
approaches that work better with web architecture.
Thanks,
Martin