The `IPAddressAccessControlHandler` returns an 403 (Forbidden) when a caller is not allowed through. This handler is a nice bit of functionality for the use of CIDR rules.

However, sometimes an application may want to return a 404 (Not Found) when they don't want to expose sensitive administrative endpoints. This is important when a service is exposed externally.

The `IPAddressAccessControlHandler` can be subclassed and the `handleRequest` method overwritten, but both the return code can not be altered and the `isAllowed` function is package private.

To solve this either the `isAllowed` should be changed to be protected or allow the return code to be set.