Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1249

If RoleBased authorization fails the response returned doesn't contain a body text

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.0.15.Final
    • 3.0.13.Final
    • jaxrs
    • None

      If RoleBased authorization fails the response returned doesn't contain a body text (only the reponse status code is set to 403).

      I have following resource:

      @GET
      @Path("/deny")
      @DenyAll
      public String deny() {
        return "SHOULD NOT BE REACHED";
      }
      

      Exexuting get method on this resource returns Response with status code 403 and empty response.getEntity().

      The HTTP specification for 403 code [1] says:
      "... If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead."

      The response should either provide and explanation for 403 code or return 404.

      [1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4

            rsigal@redhat.com Ronald Sigal
            kanovotn Katerina Odabasi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: