When a user is denied access to a resource annotated with @RolesAllowed,
RESTEasy throws an UnauthorizedException, which results in a 401 response
back to the client.  I'm curious as to why it doesn't respond with 403
Forbidden.  In my understanding of the HTTP protocol, a 401 response should
be returned if authentication is necessary (or if it fails), but in this
case, the user is authenticated successfully but is denied access to a
specific resource.  For my web service, I've created an
to return 403 Forbidden responses, but I thought I'd ping the RESTEasy
community to gain some insight into the default behavior.


Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of 
discussion for anyone considering optimizing the pricing and packaging model 
of a cloud services business. Read Now!
Resteasy-users mailing list

Reply via email to