When to Use 401 Unauthorized RRS feed

  • General discussion

  • Kind of a WCF question, but kind of not.

    I have na IIS hosted restful WCF service that requires impersonation and anonymous access is turned off.  Due to these settings, when I enter my service's logic I have the users credentials and can check if the user is authorized (based on active directory groups) whether they can execute a particular action or not.

    My question is if the user is not authorized to perform the particular action should I return a 401 or a 5xx http status.  I'm kind of on the fence because I feel that a 401 is reserved as a web server response rather than a service response, however a 5xx response seems non-standard.


    Friday, July 13, 2012 7:29 PM

All replies

  • It is recommended to return 401. Status code is not reserved by web servers. It is perfectly reasonable for services to return 401.

    Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
    If you have feedback about forum business, please contact msdnmg@microsoft.com. But please do not ask technical questions in the email.

    Monday, July 16, 2012 2:35 AM
  • I agree with Yi-Lun...

    Why not you send back application specific error code and exception? If your user is unauthorized then your application wont allow you to do some operation ... this is not Windows or Web exception ... this is your application specific business rule violation ... so better to send User Defined application specific exception code and error message ...like all other standard software ...

    Tanvir Huda Application Architect/Consultant http://thetechnocrate.wordpress.com/

    Monday, July 16, 2012 4:17 AM