[jboss-jira] [JBoss JIRA] (WFCORE-2437) Elytron Http status code for missing LoginPermission
Darran Lofthouse (JIRA)
issues at jboss.org
Fri Jul 7 09:38:01 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse resolved WFCORE-2437.
--------------------------------------
Resolution: Out of Date
Marking as out of date as there has been quite a bit of rework of the mechanism status handling - I think however if a mechanism fails authentication but another is able to challenge then 401 may still be a valid status code.
> Elytron Http status code for missing LoginPermission
> ----------------------------------------------------
>
> Key: WFCORE-2437
> URL: https://issues.jboss.org/browse/WFCORE-2437
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Jan Kalina
> Priority: Optional
>
> Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission.
> Setting with low priority as in DR7 in default configuration LoginPermission is added by default.
> David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list