Use case for responding with 403 status code

Question

I've recently started developing Java EE applications, and I'm trying to understand more about the HTTP status codes, and when they should be used.

One case that I have is when a user logs in and wants to check on the status of an order. The requirement is that a user cannot check on the status of an order that does not belong to them.

The URL for checking an order is, for example:

mysite.com/order/status?id=22594

The servlet that handles this request will examine the ID parameter, and go off and retrieve the order from the database.

If the user enters the ID of an order that they did not submit, would it be appropriate to return a 403, or respond with an order not found?

Answer 1

In your typical situation, I can think of the following use cases:

Order Id not found

• Send a 404. Order does not exist.

Order Id belongs to someone else.

• Send a 403 if the user is logged in. (403 means: "I know who you are and you aren't allowed to access this resource)
• Send a 404. Sometimes it fits to send this status. You wouldn't want to let the end client know if the resource exists. Either the resource exists for this authenticated and authorised user, or it doesn't.

User is not logged in

• Send a 401 "Authentication Required" when trying to access the resource.