Benjamin Marwell created SHIRO-818:
--------------------------------------
Summary: JAX-RS ExceptionMapper returns wrong status code
Key: SHIRO-818
URL: https://issues.apache.org/jira/browse/SHIRO-818
Project: Shiro
Issue Type: Bug
Components: jax-rs
Affects Versions: 1.7.1
Reporter: Benjamin Marwell
Assignee: Benjamin Marwell
ExceptionMapper:
{code:java}
if (exception instanceof UnauthorizedException) {
status = Status.FORBIDDEN;
} else {
status = Status.UNAUTHORIZED;
}
{code}
I am pretty sure it is meant the other way round.
Rationale: If you try to read a resource without authentication which has
`@RequiresPermission` annotations, it will throw a UnauthenticatedException.
But this should not lead to a status code UNAUTHORIZED, but to a status code
FORBIDDEN.
Unauthorized should be returned for UnauthorizedException (hence the name).
Guests or any authenticated role could (at some point in the future) get the
permission to read the resource, so FORBIDDEN is the correct status code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
