You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2021/05/20 10:11:00 UTC

[jira] [Created] (SHIRO-818) JAX-RS ExceptionMapper returns wrong status code

Benjamin Marwell created SHIRO-818:
--------------------------------------

             Summary: JAX-RS ExceptionMapper returns wrong status code
                 Key: SHIRO-818
                 URL: https://issues.apache.org/jira/browse/SHIRO-818
             Project: Shiro
          Issue Type: Bug
          Components: jax-rs
    Affects Versions: 1.7.1
            Reporter: Benjamin Marwell
            Assignee: Benjamin Marwell


ExceptionMapper:

{code:java}
 if (exception instanceof UnauthorizedException) {
            status = Status.FORBIDDEN;
        } else {
            status = Status.UNAUTHORIZED;
        }
{code}

I am pretty sure it is meant the other way round. 

Rationale: If you try to read a resource without authentication which has `@RequiresPermission` annotations, it will throw a UnauthenticatedException. But this should not lead to a status code UNAUTHORIZED, but to a status code FORBIDDEN.

Unauthorized should be returned for UnauthorizedException (hence the name).

Guests or any authenticated role could (at some point in the future) get the permission to read the resource, so FORBIDDEN is the correct status code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)