Return 401 on expired/missing session?

Cantor, Scott cantor.2 at osu.edu
Mon Apr 9 15:38:01 EDT 2018


> I always thought I can't have require rules when not enforcing sessions? I.e.,
> with passive protection any authorization would have to be performed
> within the application?

You can, it's just usually not done because you'd obviously never get in, but if it's all intended to be programmatically controlled, that might be the outcome you want. But I believe it always returns 403 right now.

> Anyway, I now have active protection on / (for browser access) and the
> above for /api (meant only for the JS to access) and that seems to work fine:
> The browser establishes an SP session before even loading the JS, the JS
> then accesses the /api just fine, once the shib session expires the XHRs to
> /api will get HTTP 401 from the server.

I think the SP itself is just returning 403s on require failures.

-- Scott



More information about the users mailing list