I'm receiving a 401 status code on a response from a webserver. However, if I trap the 401 exception and process the data, the response actually contains the same information as an authorized request - I have a different client that received status 200 with data to confirm this. Fiddler also confirms the data.
I believe this is incorrect behavior by the server; however, I cannot find the spec to confirm as such. I've read through RFC 2616 and 2617, and the most relevant snippet seems to be:
If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.
However, by the generic definition of entity, the entity could theoretically be the data that would be sent to an authorized request.
I would be more comfortable with a 401 and no data/auth-denial data, or a 200 with authorized data. But I'm afraid this may be a defect and cause me issues down the road. I can't tell if I'm being properly 401'ed or not.
Is there any spec that states that authorized data should not be returned to a client request which generates a 401 response? Or is this scenario valid?
