[
https://issues.apache.org/jira/browse/SHIRO-818?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benjamin Marwell resolved SHIRO-818.
------------------------------------
Fix Version/s: 2.0.0
Resolution: Fixed
> JAX-RS ExceptionMapper returns wrong status code
> ------------------------------------------------
>
> Key: SHIRO-818
> URL: https://issues.apache.org/jira/browse/SHIRO-818
> Project: Shiro
> Issue Type: Bug
> Components: jax-rs
> Affects Versions: 1.7.1
> Reporter: Benjamin Marwell
> Assignee: Benjamin Marwell
> Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> ExceptionMapper:
> {code:java}
> if (exception instanceof UnauthorizedException) {
> status = Status.FORBIDDEN;
> } else {
> status = Status.UNAUTHORIZED;
> }
> {code}
> I am pretty sure it is meant the other way round.
> Rationale: If you try to read a resource without authentication which has
> `@RequiresPermission` annotations, it will throw a UnauthenticatedException.
> But this should not lead to a status code UNAUTHORIZED, but to a status code
> FORBIDDEN.
> Unauthorized should be returned for UnauthorizedException (hence the name).
> Guests or any authenticated role could (at some point in the future) get the
> permission to read the resource, so FORBIDDEN is the correct status code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
