You can clone with
HTTPS or Subversion.
according to rfc2616 section 10.4.2 and 10.4.4, @authenticated should raise 401 when authentication failed, not 403.
403 means you can't get the resource even if you have passed the authentication.
But the spec also says that 401 responses MUST include a WWW-Authenticate challenge, which isn't appropriate for cookie-based authentication. Neither response code is ideal, but common practice is to use 403 even though the semantics aren't quite right instead of using a 401 without a WWW-Authenticate.