Open jerseyrobot opened 8 years ago
@glassfishrobot Commented Reported by dansiviter
@glassfishrobot Commented This issue was imported from java.net JIRA JERSEY-3065
403 Forbidden is correct for non authorized user. 401 Unauthorized is for non authenticated users. It's misleading, but this is how it is defined in the Http spec.
In org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature[line:139] it's throwing a javax.ws.rs.ForbiddenException however this set of my OCD alarm. I believe it should be a javax.ws.rs.NotAuthorizedException as by definition is does not have any authorisation. It even says it in the locale messages.
I believe this is related to #3090 which did recommend a javax.ws.rs.NotAuthorizedException but looks like it has been subsequently overwritten by #3180. There is a recent comment about this as the challenge is incorrect and not modifiable. Therefore this leads me to think we need this to be reverted and a way of setting the permissible challenges implemented.
Environment
ALL
Affected Versions
[2.22, 2.22.1, 2.22.2]