{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ▲ chillily 的问题《Why does SessionAuthentication in Django REST Fram》','https://www.manongdao.com/q-659279.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Looking at the docs and the source of the Django REST Framework, I see that SessionAuthentication only ever returns an HTTP 403 code whereas other Authentication classes will return 401. What is the reason for this?
There are certainly plenty of cases where 401 makes sense.
The issue is especially problematic since " The first authentication class set on the view is used when determining the type of response." and SessionAuthentication is by default the first Authentication class.
Django REST Framework adheres to the HTTP specification, and does not return a 401 response when the
Authenticationclass does not return aWWW-Authenticateheader that can be used.Because the
SessionAuthenticationclass does not define aWWW-Authenticateheader that can be used, Django REST Framework cannot return 401 responses and still follow the specification. You can get around this by setting anotherAuthenticationclass that supports the header to the top of your list, such asBasicAuthentication.