[ https://issues.jboss.org/browse/WFLY-7393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma moved JBEAP-6657 to WFLY-7393:
-------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-7393 (was: JBEAP-6657)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR7)
> Elytron Http status code for missing LoginPermission
> ----------------------------------------------------
>
> Key: WFLY-7393
> URL: https://issues.jboss.org/browse/WFLY-7393
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Priority: Optional
>
> Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission.
> Setting with low priority as in DR7 in default configuration LoginPermission is added by default.
> David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)