[jboss-jira] [JBoss JIRA] (WFLY-7393) Elytron Http status code for missing LoginPermission
Jan Kalina (JIRA)
issues at jboss.org
Mon Nov 14 15:33:00 EST 2016
[ https://issues.jboss.org/browse/WFLY-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Kalina reassigned WFLY-7393:
--------------------------------
Assignee: Jan Kalina
> Elytron Http status code for missing LoginPermission
> ----------------------------------------------------
>
> Key: WFLY-7393
> URL: https://issues.jboss.org/browse/WFLY-7393
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Jan Kalina
> Priority: Optional
>
> Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission.
> Setting with low priority as in DR7 in default configuration LoginPermission is added by default.
> David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list