On Mon, Jun 3, 2013 at 6:48 PM, Ben Reser <b...@reser.org> wrote: > On Mon, Jun 3, 2013 at 3:31 PM, Greg Stein <gst...@gmail.com> wrote: >... >> Yeah. HTTP_CONFLICT should be correct, there. > > Well technically 401 is right but we have now way of filling in the > proper WWW-Authenticate header. HTTP_CONFLICT doesn't sound > particularly great either because that's supposed to be describing an > issue with the state of the resource.
"This resource needs a username" or something like that :-) > I'd argue that we should return a 500 range error since the problem > here is that the server is not properly configured. There is really Nah. 500 means there is nothing the client can do, which isn't quite accurate. A client *could* go ahead and fill in an Authorization: header. (tho I don't know if Apache will parse it, without a config there) > nothing a client can do to resolve the issue other than to > authenticate, which our client is only going to do if the server is > setup properly. So I'd vote for returning HTTP_INTERNAL_SERVER_ERROR. "our client" won't do anything. Doesn't mean another one would. 500 is really for "holy crap. something failed, and I have NO IDEA what is going on. so just go away" That isn't really true in this case. Cheers, -g
