You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Benjamin Marwell (Jira)" <ji...@apache.org> on 2021/05/20 10:11:00 UTC
[jira] [Created] (SHIRO-818) JAX-RS ExceptionMapper returns wrong
status code
Benjamin Marwell created SHIRO-818:
--------------------------------------
Summary: JAX-RS ExceptionMapper returns wrong status code
Key: SHIRO-818
URL: https://issues.apache.org/jira/browse/SHIRO-818
Project: Shiro
Issue Type: Bug
Components: jax-rs
Affects Versions: 1.7.1
Reporter: Benjamin Marwell
Assignee: Benjamin Marwell
ExceptionMapper:
{code:java}
if (exception instanceof UnauthorizedException) {
status = Status.FORBIDDEN;
} else {
status = Status.UNAUTHORIZED;
}
{code}
I am pretty sure it is meant the other way round.
Rationale: If you try to read a resource without authentication which has `@RequiresPermission` annotations, it will throw a UnauthenticatedException. But this should not lead to a status code UNAUTHORIZED, but to a status code FORBIDDEN.
Unauthorized should be returned for UnauthorizedException (hence the name).
Guests or any authenticated role could (at some point in the future) get the permission to read the resource, so FORBIDDEN is the correct status code.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)