Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6656

Elytron Http status code for missing LoginPermission

    XMLWordPrintable

Details

    Description

      Lack of LoginPermission leads to 401 http code. Which could IMO indicate user can try to login again with different password. However it won't help in this case. I wonder, wouldn't 403 Forbidden be more suitable here? Indicating user authentication passed, but user is missing some permission.

      Setting with low priority as in DR7 in default configuration LoginPermission is added by default.

      David: "I think you may be right @MartinChoma - 401 is called "unauthorized" but really it should say "authentication required" 403 is the correct response for an authorization error"

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2437 Elytron Http status code for missing LoginPermission

          • Optional - The request should be considered desirable but is not an immediate necessity.
          • Resolved
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-6402 Wrong HTTP error code for Elytron authentication when LDAP server is unreachable

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              Unassigned Unassigned
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: