[jboss-jira] [JBoss JIRA] (WFLY-7393) Elytron Http status code for missing LoginPermission

Elytron Http status code for missing LoginPermission ---------------------------------------------------- Key: WFLY-7393 URL: https://issues.jboss.org/browse/WFLY-7393 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 11.0.0.Alpha1 Reporter: Martin Choma Priority: Optional Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission. Setting with low priority as in DR7 in default configuration LoginPermission is added by default. David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"