The default behaviour of shiro is to return 401 on a URL the logged in user doesn't have roles or permissions to access.
Is it possible to make shiro return 403 Forbidden in this case? Thanks! - Steinar PS I've googled, but I'm still confused. Eg. I found this one: http://shiro-user.582556.n2.nabble.com/change-shiro-behavior-on-access-denied-tt7577478.html#a7577482 but I don't know what authcBasic[permissive] means. I configure Shiro using code, rather than from shiro.ini (because shiro isn't able to find classes by name in an OSGi context), and I use PassThruAuthenticationFilter to be able to a redirect after authenticaton https://github.com/steinarb/authservice/blob/da2873d261c10e0c037d02ef343abb8446f95681/authservice.web.security/src/main/java/no/priv/bang/authservice/web/security/AuthserviceShiroFilter.java#L72
