jerseyrobot
commented
6 years ago - Issue Imported From: https://github.com/jersey/jersey/issues/3337
- Original Issue Raised By:@glassfishrobot
- Original Issue Assigned To: @mpotociar
Open jerseyrobot opened 8 years ago
jerseyrobot
commented
6 years ago jerseyrobot
commented
8 years ago @glassfishrobot Commented Reported by dansiviter
jerseyrobot
commented
7 years ago @glassfishrobot Commented This issue was imported from java.net JIRA JERSEY-3065
psamsotha
commented
6 years ago 403 Forbidden is correct for non authorized user. 401 Unauthorized is for non authenticated users. It's misleading, but this is how it is defined in the Http spec.
In org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature[line:139] it's throwing a javax.ws.rs.ForbiddenException however this set of my OCD alarm. I believe it should be a javax.ws.rs.NotAuthorizedException as by definition is does not have any authorisation. It even says it in the locale messages.
I believe this is related to #3090 which did recommend a javax.ws.rs.NotAuthorizedException but looks like it has been subsequently overwritten by #3180. There is a recent comment about this as the challenge is incorrect and not modifiable. Therefore this leads me to think we need this to be reverted and a way of setting the permissible challenges implemented.
Environment
ALL
Affected Versions
[2.22, 2.22.1, 2.22.2]