RESTEASY-1249 introduced default message for 403 errors generated by RoleBasedSecurityFilter. However, this default message cannot be overridden by an ExceptionMapper, because an ExceptionMapper is not executed on exceptions that already have an entity. This makes it impossible to customize the response body (or headers) for those errors, and is essentially a regression.

Workaround: ContainerResponseFilter can still be used to customize response, but it would have to filter all responses by status and at that point exception info is already partially lost.