[jboss-jira] [JBoss JIRA] (WFCORE-2437) Elytron Http status code for missing LoginPermission
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Mar 7 13:16:34 EST 2017
[ https://issues.jboss.org/browse/WFCORE-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse moved WFLY-7393 to WFCORE-2437:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2437 (was: WFLY-7393)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Elytron Http status code for missing LoginPermission
> ----------------------------------------------------
>
> Key: WFCORE-2437
> URL: https://issues.jboss.org/browse/WFCORE-2437
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Jan Kalina
> Priority: Optional
>
> Lack of {{LoginPermission}} leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission.
> Setting with low priority as in DR7 in default configuration LoginPermission is added by default.
> David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list