OyvindLGjesdal opened a new pull request, #2187:
URL: https://github.com/apache/shiro/pull/2187
Pull request for #2186
I think that the exception comes from here and that the else block should
return a forbidden instead.
The other location in shiro that uses SC_UNAUTHORIZED sets the header in
*HttpAuthenticationFilter.java*
:
```protected boolean sendChallenge(ServletRequest request, ServletResponse
response) {
LOGGER.debug("Authentication required: sending 401 Authentication
challenge response.");
HttpServletResponse httpResponse = WebUtils.toHttp(response);
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
String authcHeader = getAuthcScheme() + " realm=\"" +
getApplicationName() + "\"";
httpResponse.setHeader(AUTHENTICATE_HEADER, authcHeader);
return false;
}
```
this wouldn't make any sense imo, since the user is already logged in.
Other http clients may be less strict than the java httpclient on the
contents of a returned 401.
Hope I didn't overlook anything and that it isn't just a user error from my
side.
- [X] I hereby declare this contribution to be licenced under the [Apache
License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@shiro.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
