Elytron Http status code for missing LoginPermission ---------------------------------------------------- Key: WFCORE-2437 URL: https://issues.jboss.org/browse/WFCORE-2437 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta7 Reporter: Martin Choma Assignee: Jan Kalina Priority: Optional Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission. Setting with low priority as in DR7 in default configuration LoginPermission is added by default. David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"